Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Rootkit Issue


  • This topic is locked This topic is locked
15 replies to this topic

#1 rycool20

rycool20

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 10 December 2010 - 10:29 AM

I have been struggling to remove the remnants of a TDSS Rootkit infection. Someone tried to help me in the "Am I infected?" forum and they referred me here. In that process, I have already used Malwarebites, TDSS Rootkit Removal Tool, Norman Malware Cleaner, ESET Online Anti-Virus, and Kaspersky Virus Removal Tool.

Please see this thread for everything that has been tried so far: http://www.bleepingcomputer.com/forums/topic365699.html

Here is my DDS log, I'd appreciate any help:


DDS (Ver_10-12-05.01) - NTFSx86
Run by rmurphy at 9:39:09.97 on Fri 12/10/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1005 [GMT -5:00]

AV: AVG Internet Security Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {778F2BE5-86B9-4382-A259-B6D4C9A113AD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Kaseya\Agent\KasAVSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\UCClientManager\UCClientManager.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\rmurphy\Desktop\dds.scr
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = https://mfin.ez-data.com/index.htm
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SODMTimer] c:\program files\e-z data\sodm\SODMTimer.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KASHENKTCH99356337530189] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRunOnce: [InstallShieldSetup] c:\progra~1\instal~1\{6d382~1\setup.exe -rebootc:\progra~1\instal~1\{6d382~1\reboot.ini -l0x9
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ucclie~1.lnk - c:\windows\installer\{3ccd1bbb-ed2b-4734-8426-f19a8a334503}\IconAB46368E.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Dial - c:\program files\ucclientmanager\ieext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: ez-data.com
Trusted Zone: ez-data.com/
Trusted Zone: ezdata.com
Trusted Zone: pacificlife.com\ppt
Trusted Zone: smartofficeonline.com
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://www.conference.mfin.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} - hxxps://mfin.ez-data.com/downloads/SOConfig6.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236692482953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://mfin.ez-data.com/crystal/iis/v10/viewer/csp/ActiveXControls/ActiveXViewer.cab
DPF: {C8BF1F77-0A43-4AEC-A0AC-BEEE472B65C6} - hxxp://www.ez-data.com/SmartAnalyser.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://allstate.webex.com/client/T26L10NSP49EP12/webex/ieatgpc.cab
DPF: {FE83F482-F5B1-4355-85A9-BF017ADCF26B} - hxxps://mfin.ez-data.com/downloads/EZDialer.cab
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rmurphy\applic~1\mozilla\firefox\profiles\3n7rzd2m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\rmurphy\applic~1\mozilla\firefox\profiles\3n7rzd2m.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

============= SERVICES / DRIVERS ===============

R0 12183492;12183492 Boot Guard Driver;c:\windows\system32\drivers\12183492.sys [2010-12-9 37392]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-4-2 12552]
R1 12183491;12183491;c:\windows\system32\drivers\12183491.sys [2010-12-9 128016]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-2 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-2 27784]
R1 setup_9.0.0.722_09.12.2010_20-21drv;setup_9.0.0.722_09.12.2010_20-21drv;c:\windows\system32\drivers\1218349.sys [2010-12-9 315408]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-2 297752]
R2 KAENKTCH99356337530189;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-3-16 806912]
R2 KaseyaAVService;Kaseya Security Service;c:\program files\kaseya\agent\KasAVSrv.exe [2009-4-2 221184]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-1-23 36608]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-3-16 13824]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xeipnmdm;IP NULL Modem Driver;c:\windows\system32\drivers\xeipnmdm.sys [2009-3-23 12324]

=============== Created Last 30 ================

2010-12-09 19:27:56 37392 ----a-w- c:\windows\system32\drivers\12183492.sys
2010-12-09 19:27:56 315408 ----a-w- c:\windows\system32\drivers\1218349.sys
2010-12-09 19:27:56 128016 ----a-w- c:\windows\system32\drivers\12183491.sys
2010-12-08 21:21:51 -------- d-----w- c:\program files\ESET
2010-12-08 17:07:55 388096 ----a-r- c:\docume~1\rmurphy\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-08 17:07:54 -------- d-----w- c:\program files\Trend Micro
2010-11-30 19:09:23 299008 ----a-w- c:\windows\system32\cdintf.dll
2010-11-30 19:08:41 -------- d-----w- c:\program files\common files\Software FX Shared
2010-11-30 19:08:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\SunGard Insurance Systems
2010-11-30 19:08:38 -------- d-----w- C:\Magnastar
2010-11-15 18:11:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\GoodSync
2010-11-15 18:11:13 -------- d-----w- c:\docume~1\rmurphy\applic~1\GoodSync
2010-11-12 13:26:32 -------- d-----w- c:\program files\Pacific Life
2010-11-12 13:17:25 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}

==================== Find3M ====================

2028-06-08 21:38:06 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-02 19:17:36 15872 ----a-w- c:\program files\common files\JH_Killer.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600AAJS-60M0A0 rev.02.03E02 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89DBF555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89dc57b0]; MOV EAX, [0x89dc582c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89D71AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000065[0x89E301F8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DDB940]
\Driver\atapi[0x89DBC030] -> IRP_MJ_CREATE -> 0x89DBF555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600AAJS-60M0A0___________________02.03E02#5&2359c0f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DBF39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 9:40:48.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:00 PM

Posted 17 December 2010 - 09:18 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#3 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 17 December 2010 - 09:32 PM

Here is my reply. I won't be able to attempt any fixes until Monday morning, but thanks for your help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:00 PM

Posted 17 December 2010 - 09:49 PM

:thumbup2:

Download and Run RKill

Please download RKill by Grinlerand save it to your desktop.

Link 1
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.


Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#5 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 20 December 2010 - 09:00 AM

Here is my log from Rkill:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/20/2010 at 8:45:32.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 12/20/2010 at 8:45:33.


I cannot run Combofix because AVG is installed, and it will not run while that is installed. I disabled the Resident Shield, but I am unable to uninstall AVG, I get the following error when I try to uninstall it (AVG 8.5 Build 420):

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

#6 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 20 December 2010 - 04:47 PM

Ok, I finally managed to get rid of AVG 8.5 by using an AVG Removal Tool.

This allowed me to run Combofix, here is the log (note that this has not entirely solved the problem, apparently, because my first startup of Firefox to post this opened an unwanted ad window, and I am still getting unwanted redirections from search engines):

ComboFix 10-12-20.01 - rmurphy 12/20/2010 16:25:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1644 [GMT -5:00]
Running from: c:\documents and settings\rmurphy\Desktop\comfix.exe
AV: AVG Internet Security Network Edition *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Outdated* {778F2BE5-86B9-4382-A259-B6D4C9A113AD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\rmurphy\Application Data\completescan
c:\documents and settings\rmurphy\Application Data\install
c:\documents and settings\rmurphy\g2mdlhlpx.exe
c:\documents and settings\rmurphy\System
c:\documents and settings\rmurphy\System\win_qs8.jqx
c:\documents and settings\tlevander\g2mdlhlpx.exe
c:\windows\system32\Ijl11.dll
c:\windows\system32\Oeminfo.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://au.j+|Cv+@J:NGD_DQ{zGD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cv400-7760-000000000003}
.
((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))
.

2010-12-20 15:07 . 2010-12-20 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-12-09 19:27 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\12183492.sys
2010-12-09 19:27 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\1218349.sys
2010-12-09 19:27 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\12183491.sys
2010-12-08 21:21 . 2010-12-08 21:21 -------- d-----w- c:\program files\ESET
2010-12-08 17:07 . 2010-12-08 17:07 388096 ----a-r- c:\documents and settings\rmurphy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-08 17:07 . 2010-12-08 17:07 -------- d-----w- c:\program files\Trend Micro
2010-12-08 13:29 . 2010-12-08 13:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-30 19:09 . 2002-03-15 17:01 299008 ----a-w- c:\windows\system32\cdintf.dll
2010-11-30 19:08 . 2010-11-30 19:08 -------- d-----w- c:\program files\Common Files\Software FX Shared
2010-11-30 19:08 . 2010-11-30 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SunGard Insurance Systems
2010-11-30 19:08 . 2010-11-30 19:08 -------- d-----w- C:\Magnastar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2028-06-08 21:38 . 2009-12-30 17:17 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL
2010-11-29 22:42 . 2010-02-03 21:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-02-03 21:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-09 21:33 . 2010-10-21 16:39 57344 ----a-r- c:\documents and settings\rmurphy\Application Data\Microsoft\Installer\{6040DC20-6CF9-6040-AE10-006F40FE6040}\StartMenu_C9386B61682A4A8A824452D5667BA44A.exe
2010-11-09 21:33 . 2010-10-21 16:39 57344 ----a-r- c:\documents and settings\rmurphy\Application Data\Microsoft\Installer\{6040DC20-6CF9-6040-AE10-006F40FE6040}\Desktop_65606E1E02F649BFBABF559DDD479E32.exe
2010-11-09 21:33 . 2010-10-21 16:39 57344 ----a-r- c:\documents and settings\rmurphy\Application Data\Microsoft\Installer\{6040DC20-6CF9-6040-AE10-006F40FE6040}\ARPPRODUCTICON.exe
2010-09-02 19:17 . 2010-09-02 19:17 15872 ----a-w- c:\program files\Common Files\JH_Killer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODMTimer"="c:\program files\E-Z Data\SODM\SODMTimer.exe" [2010-10-29 30048]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-11-15 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1036288]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8466432]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"nwiz"="nwiz.exe" [2007-08-27 1626112]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2009-3-23 294912]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2001-11-19 74308]
UC Client Manager.lnk - c:\windows\Installer\{3ccd1bbb-ed2b-4734-8426-f19a8a334503}\IconAB46368E.exe [2010-2-11 8192]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^rmurphy^Start Menu^Programs^Startup^setup_9.0.0.722_09.12.2010_20-21.lnk]
path=c:\documents and settings\rmurphy\Start Menu\Programs\Startup\setup_9.0.0.722_09.12.2010_20-21.lnk
backup=c:\windows\pss\setup_9.0.0.722_09.12.2010_20-21.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KASHENKTCH99356337530189]
2010-02-25 21:17 319488 ----a-w- c:\program files\Kaseya\Agent\KaUsrTsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-03-31 22:44 761856 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KaseyaAVService"=2 (0x2)
"KAENKTCH99356337530189"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 12183492;12183492 Boot Guard Driver;c:\windows\system32\drivers\12183492.sys [12/9/2010 2:27 PM 37392]
R1 12183491;12183491;c:\windows\system32\drivers\12183491.sys [12/9/2010 2:27 PM 128016]
R1 setup_9.0.0.722_09.12.2010_20-21drv;setup_9.0.0.722_09.12.2010_20-21drv;c:\windows\system32\drivers\1218349.sys [12/9/2010 2:27 PM 315408]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 3:13 PM 36608]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [3/16/2009 1:26 PM 13824]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 xeipnmdm;IP NULL Modem Driver;c:\windows\system32\drivers\xeipnmdm.sys [3/23/2009 8:47 AM 12324]
S4 KAENKTCH99356337530189;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [3/16/2009 1:26 PM 806912]
S4 KaseyaAVService;Kaseya Security Service;c:\program files\Kaseya\Agent\KasAVSrv.exe [4/2/2009 3:16 PM 221184]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-12-03 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2006-10-05 20:09]

2010-12-20 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-08-26 16:21]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mfin.ez-data.com/index.htm
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Dial - c:\program files\UCClientManager\ieext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: ez-data.com
Trusted Zone: ez-data.com/
Trusted Zone: ezdata.com
Trusted Zone: pacificlife.com\ppt
Trusted Zone: smartofficeonline.com
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://www.conference.mfin.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} - hxxps://mfin.ez-data.com/downloads/SOConfig6.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://mfin.ez-data.com/crystal/iis/v10/viewer/csp/ActiveXControls/ActiveXViewer.cab
DPF: {C8BF1F77-0A43-4AEC-A0AC-BEEE472B65C6} - hxxp://www.ez-data.com/SmartAnalyser.cab
DPF: {FE83F482-F5B1-4355-85A9-BF017ADCF26B} - hxxps://mfin.ez-data.com/downloads/EZDialer.cab
FF - ProfilePath - c:\documents and settings\rmurphy\Application Data\Mozilla\Firefox\Profiles\3n7rzd2m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
AddRemove-Nationwide Ascent - c:\documents and settings\All Users\Application Data\{2C28D88F-FC43-47A0-AB6A-5CBFB9F174B3}\Setup.exe
AddRemove-Navigator 10.10 - c:\documents and settings\All Users\Application Data\{E9943464-9DC0-4C81-ACC2-4FA918642A02}\Setup.exe
AddRemove-Navigator 10.11 - c:\documents and settings\All Users\Application Data\{BC34096B-2B9C-4E6C-BDA9-1AD481E120EF}\Setup.exe
AddRemove-Navigator 10.5 - c:\documents and settings\All Users\Application Data\{916C7548-EA2E-45DB-A386-B4ACA2FA508E}\Setup.exe
AddRemove-Navigator 10.6 - c:\documents and settings\All Users\Application Data\{44C94613-62A5-485E-A430-7CB2BCC12BAB}\Setup.exe
AddRemove-Navigator 10.7 - c:\documents and settings\All Users\Application Data\{AEF2EB39-07CC-48F5-B38F-1A9C99DE76C9}\Setup.exe
AddRemove-Navigator 10.8 - c:\documents and settings\All Users\Application Data\{032E8A4B-43E1-43A5-AC90-ED47A5B83820}\Setup.exe
AddRemove-Navigator 10.9 - c:\documents and settings\All Users\Application Data\{2B752ED4-B7DA-4395-9C9E-E9DB049EAEDF}\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 16:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600AAJS-60M0A0 rev.02.03E02 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89DC7555]<<
c:\docume~1\rmurphy\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89dcd7b0]; MOV EAX, [0x89dcd82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89DD8AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000065[0x89D7DCA0]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DDA940]
\Driver\atapi[0x89D73A08] -> IRP_MJ_CREATE -> 0x89DC7555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600AAJS-60M0A0___________________02.03E02#5&2359c0f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DC739B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-20 16:43:12
ComboFix-quarantined-files.txt 2010-12-20 21:43

Pre-Run: 109,966,934,016 bytes free
Post-Run: 110,910,738,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C14003AE4BD8005D72CC15DB495A21E5

Edited by rycool20, 20 December 2010 - 04:53 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:00 PM

Posted 20 December 2010 - 06:33 PM

We'll remove the rootkit with TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Now rerun Combofix, as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#8 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 21 December 2010 - 08:45 AM

Ok, I've followed the instructions and haven't encountered any issues so far *fingers crossed*.
Please note that I ran TDSS Killer in the past and it did not solve the problem, despite promising to cure it on next reboot:
http://www.bleepingcomputer.com/forums/topic365699.html/page__p__2048077#entry2048077

Anyway, here are the logs:

2010/12/21 08:16:27.0850 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/21 08:16:27.0850 ================================================================================
2010/12/21 08:16:27.0850 SystemInfo:
2010/12/21 08:16:27.0850
2010/12/21 08:16:27.0850 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/21 08:16:27.0850 Product type: Workstation
2010/12/21 08:16:27.0850 ComputerName: GFC-HQ-RMURPHY
2010/12/21 08:16:27.0850 UserName: rmurphy
2010/12/21 08:16:27.0850 Windows directory: C:\WINDOWS
2010/12/21 08:16:27.0850 System windows directory: C:\WINDOWS
2010/12/21 08:16:27.0850 Processor architecture: Intel x86
2010/12/21 08:16:27.0850 Number of processors: 2
2010/12/21 08:16:27.0850 Page size: 0x1000
2010/12/21 08:16:27.0850 Boot type: Normal boot
2010/12/21 08:16:27.0850 ================================================================================
2010/12/21 08:16:28.0318 Initialize success
2010/12/21 08:16:38.0463 ================================================================================
2010/12/21 08:16:38.0463 Scan started
2010/12/21 08:16:38.0463 Mode: Manual;
2010/12/21 08:16:38.0463 ================================================================================
2010/12/21 08:16:41.0277 12183491 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\12183491.sys
2010/12/21 08:16:41.0324 12183492 (a305fad3719c5db0c13d1c2bfd08a04d) C:\WINDOWS\system32\DRIVERS\12183492.sys
2010/12/21 08:16:41.0371 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2010/12/21 08:16:41.0386 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/21 08:16:41.0386 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/21 08:16:41.0433 ADIHdAudAddService (53b29a84f5105a6d887b662188c93503) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/12/21 08:16:41.0449 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/21 08:16:41.0449 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
2010/12/21 08:16:41.0480 AEAudio (b4afcc2f911939a1c16a26e7eba7f36b) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/12/21 08:16:41.0527 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/21 08:16:41.0543 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/21 08:16:41.0590 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/21 08:16:41.0605 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/21 08:16:41.0746 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/21 08:16:41.0777 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/21 08:16:41.0871 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/21 08:16:41.0918 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/21 08:16:41.0965 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/21 08:16:42.0199 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/21 08:16:42.0246 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/21 08:16:42.0293 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/21 08:16:42.0340 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/21 08:16:42.0465 DgivEcp (277b9af0f1034be4731cba7eff10e8f9) C:\WINDOWS\system32\Drivers\DgivEcp.Sys
2010/12/21 08:16:42.0481 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/21 08:16:42.0543 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/21 08:16:42.0574 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/21 08:16:42.0590 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/21 08:16:42.0621 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/21 08:16:42.0684 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/21 08:16:42.0715 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/21 08:16:42.0746 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/21 08:16:42.0793 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/12/21 08:16:42.0871 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/21 08:16:42.0887 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/21 08:16:42.0934 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/21 08:16:43.0012 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/21 08:16:43.0043 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/21 08:16:43.0106 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/21 08:16:43.0137 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/21 08:16:43.0184 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/21 08:16:43.0231 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/21 08:16:43.0309 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
2010/12/21 08:16:43.0372 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/21 08:16:43.0434 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/21 08:16:43.0512 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/21 08:16:43.0559 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2010/12/21 08:16:43.0590 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2010/12/21 08:16:43.0606 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2010/12/21 08:16:43.0622 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2010/12/21 08:16:43.0622 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2010/12/21 08:16:43.0637 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2010/12/21 08:16:43.0653 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2010/12/21 08:16:43.0653 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2010/12/21 08:16:43.0669 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2010/12/21 08:16:43.0684 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2010/12/21 08:16:43.0700 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2010/12/21 08:16:43.0715 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2010/12/21 08:16:43.0731 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2010/12/21 08:16:43.0747 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2010/12/21 08:16:43.0747 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2010/12/21 08:16:43.0794 IFXTPM (2cdf483f8fc2bf3f7b93e3bdd734cfbd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2010/12/21 08:16:43.0794 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/21 08:16:43.0887 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/21 08:16:43.0919 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/21 08:16:43.0966 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/21 08:16:43.0981 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/21 08:16:44.0028 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/21 08:16:44.0059 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/21 08:16:44.0075 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/21 08:16:44.0137 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/21 08:16:44.0169 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/21 08:16:44.0247 KAPFA (9c3abc6d9cc915056f0918469f567975) C:\WINDOWS\system32\drivers\KAPFA.SYS
2010/12/21 08:16:44.0263 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/21 08:16:44.0278 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/21 08:16:44.0341 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/21 08:16:44.0372 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/21 08:16:44.0419 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/21 08:16:44.0481 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/21 08:16:44.0528 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/12/21 08:16:44.0575 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/21 08:16:44.0638 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/21 08:16:44.0638 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/21 08:16:44.0669 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/21 08:16:44.0731 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/21 08:16:44.0747 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/21 08:16:44.0794 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/21 08:16:44.0841 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/21 08:16:44.0888 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/21 08:16:44.0935 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/21 08:16:44.0950 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/21 08:16:44.0982 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/21 08:16:45.0060 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/21 08:16:45.0122 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/21 08:16:45.0185 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/21 08:16:45.0200 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/21 08:16:45.0232 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/21 08:16:45.0247 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/21 08:16:45.0279 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/21 08:16:45.0357 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/21 08:16:45.0404 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/21 08:16:45.0607 nv (fee170f182d5167b6e06e490dd7b42d7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/21 08:16:45.0779 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/21 08:16:45.0779 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/21 08:16:45.0826 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/12/21 08:16:45.0904 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/21 08:16:45.0951 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/21 08:16:45.0982 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/21 08:16:46.0076 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/21 08:16:46.0107 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/21 08:16:46.0154 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/21 08:16:46.0295 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/21 08:16:46.0310 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/21 08:16:46.0310 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/21 08:16:46.0420 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/21 08:16:46.0467 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/21 08:16:46.0482 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/21 08:16:46.0482 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/21 08:16:46.0529 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/21 08:16:46.0560 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/21 08:16:46.0592 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/21 08:16:46.0607 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/21 08:16:46.0654 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/21 08:16:46.0685 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/12/21 08:16:46.0748 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/21 08:16:46.0795 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/21 08:16:46.0857 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/21 08:16:46.0920 setup_9.0.0.722_09.12.2010_20-21drv (66ef49622baa18e4d4f1fe4bae1d51b8) C:\WINDOWS\system32\DRIVERS\1218349.sys
2010/12/21 08:16:46.0967 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/21 08:16:47.0092 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/21 08:16:47.0107 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/21 08:16:47.0139 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/21 08:16:47.0170 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/21 08:16:47.0186 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/21 08:16:47.0232 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/21 08:16:47.0232 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/21 08:16:47.0248 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2010/12/21 08:16:47.0264 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/21 08:16:47.0264 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/21 08:16:47.0295 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/21 08:16:47.0358 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/21 08:16:47.0389 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/21 08:16:47.0404 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/21 08:16:47.0451 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/21 08:16:47.0545 tmcomm (2ddd3c0e23bc0fd63702910c597298b4) C:\WINDOWS\system32\drivers\tmcomm.sys
2010/12/21 08:16:47.0592 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/21 08:16:47.0639 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/21 08:16:47.0686 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/21 08:16:47.0686 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/21 08:16:47.0748 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/21 08:16:47.0795 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/21 08:16:47.0826 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/21 08:16:47.0873 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/21 08:16:47.0952 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/21 08:16:47.0983 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/21 08:16:48.0030 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/21 08:16:48.0077 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/21 08:16:48.0155 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/21 08:16:48.0233 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/21 08:16:48.0311 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/21 08:16:48.0327 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/21 08:16:48.0374 xeipnmdm (0510b170a12229fbda374547f4b55c26) C:\WINDOWS\system32\DRIVERS\xeipnmdm.sys
2010/12/21 08:16:48.0389 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/21 08:16:48.0389 ================================================================================
2010/12/21 08:16:48.0389 Scan finished
2010/12/21 08:16:48.0389 ================================================================================
2010/12/21 08:16:48.0420 Detected object count: 1
2010/12/21 08:17:08.0194 \HardDisk0 - will be cured after reboot
2010/12/21 08:17:08.0194 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/21 08:17:19.0996 Deinitialize success

:cold: :cold: :cold: :cold: :cold:

ComboFix 10-12-20.01 - rmurphy 12/21/2010 8:31.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1495 [GMT -5:00]
Running from: c:\documents and settings\rmurphy\Desktop\comfix.exe
Command switches used :: c:\documents and settings\rmurphy\Desktop\CFScript.txt
AV: AVG Internet Security Network Edition *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro Client/Server Security Agent Antivirus *Disabled/Outdated* {778F2BE5-86B9-4382-A259-B6D4C9A113AD}
.

((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))
.

2010-12-21 13:30 . 2010-12-21 13:30 -------- d-----w- c:\windows\LastGood
2010-12-20 15:07 . 2010-12-20 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-12-09 19:27 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\12183492.sys
2010-12-09 19:27 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\1218349.sys
2010-12-09 19:27 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\12183491.sys
2010-12-08 21:21 . 2010-12-08 21:21 -------- d-----w- c:\program files\ESET
2010-12-08 17:07 . 2010-12-08 17:07 388096 ----a-r- c:\documents and settings\rmurphy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-08 17:07 . 2010-12-08 17:07 -------- d-----w- c:\program files\Trend Micro
2010-12-08 13:29 . 2010-12-08 13:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-30 19:09 . 2002-03-15 17:01 299008 ----a-w- c:\windows\system32\cdintf.dll
2010-11-30 19:08 . 2010-11-30 19:08 -------- d-----w- c:\program files\Common Files\Software FX Shared
2010-11-30 19:08 . 2010-11-30 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SunGard Insurance Systems
2010-11-30 19:08 . 2010-11-30 19:08 -------- d-----w- C:\Magnastar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2028-06-08 21:38 . 2009-12-30 17:17 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL
2010-11-29 22:42 . 2010-02-03 21:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-02-03 21:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-09 21:33 . 2010-10-21 16:39 57344 ----a-r- c:\documents and settings\rmurphy\Application Data\Microsoft\Installer\{6040DC20-6CF9-6040-AE10-006F40FE6040}\StartMenu_C9386B61682A4A8A824452D5667BA44A.exe
2010-11-09 21:33 . 2010-10-21 16:39 57344 ----a-r- c:\documents and settings\rmurphy\Application Data\Microsoft\Installer\{6040DC20-6CF9-6040-AE10-006F40FE6040}\Desktop_65606E1E02F649BFBABF559DDD479E32.exe
2010-11-09 21:33 . 2010-10-21 16:39 57344 ----a-r- c:\documents and settings\rmurphy\Application Data\Microsoft\Installer\{6040DC20-6CF9-6040-AE10-006F40FE6040}\ARPPRODUCTICON.exe
2010-09-02 19:17 . 2010-09-02 19:17 15872 ----a-w- c:\program files\Common Files\JH_Killer.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-12-20_21.40.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-21 13:22 . 2010-12-21 13:22 16384 c:\windows\Temp\Perflib_Perfdata_728.dat
+ 2010-12-21 13:22 . 2010-12-21 13:22 16384 c:\windows\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODMTimer"="c:\program files\E-Z Data\SODM\SODMTimer.exe" [2010-10-29 30048]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-11-15 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1036288]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-27 8466432]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"nwiz"="nwiz.exe" [2007-08-27 1626112]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2009-3-23 294912]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2001-11-19 74308]
UC Client Manager.lnk - c:\windows\Installer\{3ccd1bbb-ed2b-4734-8426-f19a8a334503}\IconAB46368E.exe [2010-2-11 8192]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^rmurphy^Start Menu^Programs^Startup^setup_9.0.0.722_09.12.2010_20-21.lnk]
path=c:\documents and settings\rmurphy\Start Menu\Programs\Startup\setup_9.0.0.722_09.12.2010_20-21.lnk
backup=c:\windows\pss\setup_9.0.0.722_09.12.2010_20-21.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KASHENKTCH99356337530189]
2010-02-25 21:17 319488 ----a-w- c:\program files\Kaseya\Agent\KaUsrTsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-03-31 22:44 761856 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KaseyaAVService"=2 (0x2)
"KAENKTCH99356337530189"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 12183492;12183492 Boot Guard Driver;c:\windows\system32\drivers\12183492.sys [12/9/2010 2:27 PM 37392]
R1 12183491;12183491;c:\windows\system32\drivers\12183491.sys [12/9/2010 2:27 PM 128016]
R1 setup_9.0.0.722_09.12.2010_20-21drv;setup_9.0.0.722_09.12.2010_20-21drv;c:\windows\system32\drivers\1218349.sys [12/9/2010 2:27 PM 315408]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 3:13 PM 36608]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [3/16/2009 1:26 PM 13824]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 xeipnmdm;IP NULL Modem Driver;c:\windows\system32\drivers\xeipnmdm.sys [3/23/2009 8:47 AM 12324]
S4 KAENKTCH99356337530189;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [3/16/2009 1:26 PM 806912]
S4 KaseyaAVService;Kaseya Security Service;c:\program files\Kaseya\Agent\KasAVSrv.exe [4/2/2009 3:16 PM 221184]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-12-03 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2006-10-05 20:09]

2010-12-21 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-08-26 16:21]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mfin.ez-data.com/index.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Dial - c:\program files\UCClientManager\ieext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: ez-data.com
Trusted Zone: ez-data.com/
Trusted Zone: ezdata.com
Trusted Zone: pacificlife.com\ppt
Trusted Zone: smartofficeonline.com
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://www.conference.mfin.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {1FA44E01-A60B-4449-BF97-66CDAA200433} - hxxps://mfin.ez-data.com/downloads/SOConfig6.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://mfin.ez-data.com/crystal/iis/v10/viewer/csp/ActiveXControls/ActiveXViewer.cab
DPF: {C8BF1F77-0A43-4AEC-A0AC-BEEE472B65C6} - hxxp://www.ez-data.com/SmartAnalyser.cab
DPF: {FE83F482-F5B1-4355-85A9-BF017ADCF26B} - hxxps://mfin.ez-data.com/downloads/EZDialer.cab
FF - ProfilePath - c:\documents and settings\rmurphy\Application Data\Mozilla\Firefox\Profiles\3n7rzd2m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-21 08:39:59
ComboFix-quarantined-files.txt 2010-12-21 13:39
ComboFix2.txt 2010-12-20 21:43

Pre-Run: 110,785,134,592 bytes free
Post-Run: 110,841,278,464 bytes free

- - End Of File - - 9F8A354159BEFD8987BDB07CAE55222F

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:00 PM

Posted 21 December 2010 - 12:00 PM

Have you now rebooted the machine?

If so, how is it running?
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#10 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 21 December 2010 - 12:40 PM

Yes, and everything appears to be back to normal so far. Windows Updates are installing, which it was not doing in the week and a half I've been trying to get this fixed, so that's another good sign.

Thanks a lot for your help!

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:00 PM

Posted 21 December 2010 - 01:23 PM

Let's take a last look with ESET

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#12 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 21 December 2010 - 04:27 PM

The scan came up clean.

However, I ran TDSSKiller again just to see what happened, and it came up as still infected. Under malicious objects:

Rootkit.Win32.TDSS.tdl4
Physical Drive
Name: \HardDisk0

Does this mean it is still infected?

Edited by rycool20, 21 December 2010 - 04:30 PM.


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:00 PM

Posted 21 December 2010 - 04:47 PM

Not enough info to know. Can you post the TDSSKiller log in full.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#14 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 22 December 2010 - 08:04 AM

That time, I forgot to run it with a log.

I restarted and ran it again, and it came up clean (and I still have not been having any issues), so I don't know what that was about.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:00 PM

Posted 22 December 2010 - 02:48 PM

No, me neither. Let's call this a day.

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it rycool20, happy surfing!

Cheers.

m0le
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users