Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

****** VDL4 Rootkit? ***** "Google Redirect", "Ave.exe", etc.


  • This topic is locked This topic is locked
62 replies to this topic

#1 i-hate-rootkits

i-hate-rootkits

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 08 April 2010 - 12:21 PM

Howdy,

I have been reading these forums with interest since I contracted the TDL3 rootkit, and finally figured out what's going on. An amazing virus really.

The frustrating, if not somewhat amusing thing, is to watch the most current thread in this forum- then hit "refresh" a few minutes later. It doesn't take much to see that 90% of the current "help me" threads are all dealing with the TDL3 rootkit virus. "Help, Help! My Google has been hijacked. Oh NOES!" Previously there were a lot of posts like "I have the AVE.EXE virus". Then someone from bleeping computer walked them through getting rid of that part of it. Then because the "root" cause, (Couldn't help that one), isn't dealt with, I just knew when they signed off with "Gee, thanks- you're the best!" That they would be back.
Sure enough, there are tons of threads here from people who thought they got rid of it, only to have the "Google Redirect Virus" send them to some nasty place that just put it all back. I too, thought I got rid of it, only to have it come back. All the downloadable fixes are useless, and there are millions of people out there wasting their time with them.

(The one person who had the best advice, advice I can't argue with, was the women who posted that she had stumbled into this forum, had read countless pages, and wondered, "Why don't you people just get a Mac and not bother with all these headaches? What's the matter with you all?" She's right, of course. Can't argue that point. In any event..... )

This is really an astonishing virus, and I am surprised there isn't anything about it on the news. Yet. The way it gets in your machine is ingenious, (printing spool), and the way it hides itself is something to behold. I think the Pentagon ought to get the guys who made this to come over to our side. (It seems it comes from the Russian Federation.)

Perhaps the most amazing part about this little bugger, is that it actually goes online every few minutes- and *updates* itself. So as fast as fixes can be worked out, the scammers go online, see what the recent fixes are, and put out a patch to defeat the fix. For example, there are three, and only three, programs out there which know about the TDL3 virus and claim that they can fix it. All three currently fail. (Hitman Pro now does squat- doesn't even detect it. Both TDL3 Razor and its twin, TDSS Killer find it, promise to remove it on reboot- and then don't.) They have been rendered useless, no doubt by the virus going online and updating itself. (Amazing, no?)

The attached screenshot is to show you what TDSS Killer finds. Just so we can skip past all the jumping through hoops to come to the same conclusion:

<img src="http://www.nissanleaf.us/tdl3.jpg">

Yes, I have TDL3 Rootkit and it's found a home in my atapi.sys file. (Since the alleged fixes no longer work, is it fair to say I have "TDL4 Rootkit"?)

No magic "remover" or "malware fixer" is going to take care of this.

What I would like you to do, is to hold my hand while we walk together through the joys of Combofix. (You can even admonish me when you notice my naughty utorrent penchant. (Feel free to cut-and-paste the standard "naughty, naughty". Yes, I know, I know.) It seems to me only Combofix, while in the hands of someone like you all, is going to do the trick here.

I know the rules. (Don't be an idiot and start messin' with stuff while BleepingComputer is trying to help. Do what I am told, don't do things I am not told, Be patient, etc. etc.)

When we are all done, I'd like to clean up my mess, run the SP3 from MS for this Win XP. (But not before, because I know this bugger gives you the dreaded Blue Screen of Death if you update with the rootkit still infecting.) I have already updated my Java. Then you can give me the "shame, shame" again on the P2P, and you can advise me on any other problems you might see. That would be swell.


Here is my DDS log. (GMER just gave me the BSOD with this rootkit, just as it did to everyone else.)

I'm putting on a pot 'o coffee, (all the talk about java installs got to me), and I patiently await your help. Thanks.
-----------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Owner at 13:07:58.98 on Thu 04/08/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.265 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\taskmgr.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Visicom Media\AceFTP 3 Freeware\Aceftp3free.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TdlRazor] c:\documents and settings\compaq_owner\desktop\tdl3 razor\tdlrazor.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258915669953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {F7E49090-26CA-471F-915C-4492B30E5A38} = 71.243.0.12 68.237.161.12
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: tivorema.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli viruwuyo.dll

============= SERVICES / DRIVERS ===============

R2 KillTheHooker;KillTheHooker;c:\documents and settings\compaq_owner\desktop\tdl3 razor\TizerBruteForceEx.sys [2010-3-18 22320]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-22 38224]
S4 Ndit_uued;Ndit_uued;c:\windows\system32\drivers\tosdvd.sys [2004-8-4 51712]

=============== Created Last 30 ================

2010-04-08 17:07:38 0 ----a-w- c:\documents and settings\compaq_owner\defogger_reenable
2010-04-08 16:32:11 95360 ----a-w- c:\windows\system32\drivers\tsk8.tmp
2010-04-08 16:32:11 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-08 03:31:53 96512 ----a-w- c:\windows\system32\drivers\x001.sys
2010-04-08 01:49:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-08 01:49:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-06 21:43:45 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-06 21:25:00 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-06 21:24:49 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-06 21:24:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-06 21:23:48 0 d--h--w- c:\windows\PIF
2010-04-06 20:48:54 0 d-----w- C:\_OTM
2010-04-06 12:59:23 296462 ----a-w- c:\windows\~DF5E12.tmp
2010-04-06 12:59:23 296462 ----a-w- c:\windows\~DF5DF8.tmp
2010-04-06 12:54:29 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-06 05:09:34 296462 ----a-w- c:\windows\~DFF4FB.tmp
2010-04-06 05:08:57 296462 ----a-w- c:\windows\~DFDFF8.tmp
2010-04-06 05:08:46 296462 ----a-w- c:\windows\~DFD8DD.tmp
2010-04-05 23:01:58 0 d-----w- c:\program files\CCleaner
2010-04-05 19:22:42 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-05 03:28:31 0 d-----w- c:\docume~1\compaq~1\applic~1\Spybot - Search & Destroy
2010-03-30 05:23:19 0 d-----w- C:\VundoFix Backups
2010-03-30 04:48:08 296462 ----a-w- c:\windows\~DFA0DA.tmp
2010-03-30 03:52:20 0 d-----w- c:\windows\system32\LogFiles
2010-03-23 06:57:49 8704 --sha-w- C:\Thumbs.db

==================== Find3M ====================

2010-04-07 04:50:11 740864 ----a-w- c:\program files\1033.MST
2010-02-15 19:53:15 3649 ----a-w- c:\windows\viassary-hp.reg
2010-01-26 17:08:51 162 ----a-w- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2010-01-22 15:21:31 696832 ----a-w- c:\windows\isRS-000.tmp
2009-11-29 02:35:37 4632 ----a-w- c:\program files\0x0409.ini
2006-10-17 20:36:16 32 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 13:08:53.39 ===============





BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 10 April 2010 - 11:14 AM

Hello i-hate-rootkits.

Let me start off by saying that I hate rootkits too. If you look at some malware removal topics from, let's say 4 years ago, you'll see that more civilized malware was dealt with the appropriate weapons from a more civilized time.

These days though, tools like HJT are just not enough.

Before we start, do you know what these two files might be?
  • uRun: [TdlRazor] c:\documents and settings\compaq_owner\desktop\tdl3 razor\tdlrazor.exe
  • R2 KillTheHooker;KillTheHooker;c:\documents and settings\compaq_owner\desktop\tdl3 razor\TizerBruteForceEx.sys [2010-3-18 22320]

EDIT: I have to give you the speech about how it would be best to reformat.
Backdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.


Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled, if you have any. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

Edited by PropagandaPanda, 10 April 2010 - 11:19 AM.


#3 i-hate-rootkits

i-hate-rootkits
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 10 April 2010 - 03:09 PM


Hi Panda,

Thanks very much.



"Before we start, do you know what these two files might be?

* uRun: [TdlRazor] c:\documents and settings\compaq_owner\desktop\tdl3 razor\tdlrazor.exe
* R2 KillTheHooker;KillTheHooker;c:\documents and settings\compaq_owner\desktop\tdl3 razor\TizerBruteForceEx.sys [2010-3-18 22320]


EDIT: I have to give you the speech about how it would be best to reformat.
Backdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans."



Yes, those files are from something I downloaded that promised to remove TDL3 Rootkit, and it looked exactly like TDSS Killer, and rendered the exact same results. Before I did that I checked the site out and it looked legit. I am sure I can find it again.

Is that the only thing that makes you think this is a lost cause? Could it be legit and you are just not familiar with it? (I admit, I don't like the sound of anything called "Brute Force". I know what a brute force attack is and that sure sounds ominous.)


Thanks again.

#4 i-hate-rootkits

i-hate-rootkits
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 10 April 2010 - 03:24 PM



This is the site I'm talking about....

http://www.tizersecure.com/index.php


#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 10 April 2010 - 05:22 PM

Hello i-hate-rootkits.

QUOTE
Is that the only thing that makes you think this is a lost cause? Could it be legit and you are just not familiar with it? (I admit, I don't like the sound of anything called "Brute Force". I know what a brute force attack is and that sure sounds ominous.)
I think you had misunderstood me. I was informing you that the TDL3 had comprimised your computer, and it may be easiest to reformat, not because of the Tizer Secure program.

You're right that I haven't heard of it. I'll run a few tests with it later.

Please proceed to running ComboFix and Gmer if you do not wish to reformat.

With Regards,
The Panda

#6 i-hate-rootkits

i-hate-rootkits
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 10 April 2010 - 06:21 PM


Phew. You had me scared there.

I don't want to reformat. But I do want to understand what you mean about it not being safe to just get rid of the TDL 3 Rootkit.

I see countless people here who have been infected with it, who were not informed that the bad news that a backdoor was installed, that it wouldn't be safe to just get rid of the virus, "contact you bank", etc. Is this just a preference of whoever happens to take up the cause on from Bleeping Computer? Or is there something different about my particular case? I just want to fully understand the threat posed by this nasty rootkit, that's all.

I have not logged into anything critical. But does this rootkit steal the contents of folders on my hard drive- can it do that? (And does it have a keylogging component to it?)

Thanks, I really do appreciate your help.

#7 i-hate-rootkits

i-hate-rootkits
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 10 April 2010 - 06:24 PM



In other words, this is the part that concerns me....

"EDIT: I have to give you the speech about how it would be best to reformat.
Backdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection."


I had not seen that for other people who were infected with this rootkit. Is it more of a disclaimer- or is there something unusual about my infection that would lead you to believe that I am a goner? :-)

Thanks again

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 10 April 2010 - 07:27 PM

Hello.

It's general policy to give that warning to users infected with rootkits, as you said, a general disclaimer.

Not all helpers remember to post it all the time though.

With Regards,
The Panda

#9 i-hate-rootkits

i-hate-rootkits
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 10 April 2010 - 07:40 PM


OK, that makes sense. Geez, you scared the heck out of me, because I saw that right after the part about Brute Force. (That's a bad combination.)


So yes, let's take a stroll down Combofix Lane and send this vile thing on its way.

One question though. If I understand this right, the idea is to swap a clean copy of atapi.sys file for the corrupt one. So I am going to need a clean copy of atapi.sys. And the problem with that, if I am correct here, is the folks at Microsoft, in their wisdom, construe that as part of Windows, copyright, blah-blah, and don't make it available for download. (Doesn't seem fair if you ask me.)

At which point you have to tell me to get out my restore disk. However, in my case, it isn't one disk. It's a big stack of them. This computer didn't come with a disk, rather it gave you the capacity to burn a series of disks for this purpose. (Just once, then it self destructed or something.)

Rather than trying to use this big cumbersome pile of disks, would it not be easier for me to copy the file from my uninfected laptop, which has the same OS? (Windows XP, SP2.)

(If somehow you are not allowed to say so, the correct file could just magically appear on the desktop of the infected desktop.)

Seems to me it would be easier, but maybe there is something I don't know?


Thanks

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 10 April 2010 - 07:55 PM

Hello i-hate-rootkits.

There are usually multiple copies of system files on an installation. Some in the driver cache, in the Windows Update backups, and from Service Pack installation backups.

Usually we can find a suitable replacement file on the machine. If not, your other computer's file will come in handy.

With Regards,
The Panda

#11 i-hate-rootkits

i-hate-rootkits
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 10 April 2010 - 08:01 PM


OK. Understood. I'm going to the next step then. Back in a little while. (I hope. :-)

#12 i-hate-rootkits

i-hate-rootkits
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 12 April 2010 - 07:08 PM


Hi Panda,

Here are the two log files. I await your next instructions. Thanks very much.

-------------

ComboFix 10-04-12.01 - Compaq_Owner 04/12/2010 19:26:23.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.385 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Recent\Thumbs.db
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\recycler\S-1-5-21-244066921-3736055849-1618422778-1009
C:\Thumbs.db
c:\windows\system32\PRAGMAaxomntdrfq.dll
c:\windows\system32\PRAGMAjpwbudjklp.dll
c:\windows\system32\PRAGMAmxfumepxmy.dat
c:\windows\system32\PRAGMArtqtxilhlt.dll
c:\windows\system32\Thumbs.db
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 22:40 . 2010-04-12 22:40 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-10 02:39 . 2010-04-10 02:39 -------- d-----w- c:\windows\Thunderbird
2010-04-10 02:39 . 2010-04-10 02:39 -------- d-----w- c:\windows\Mozilla
2010-04-10 02:27 . 2010-04-10 02:27 1165 ----a-w- c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
2010-04-10 02:27 . 2010-04-10 02:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-08 03:31 . 2010-03-16 07:12 96512 ----a-w- c:\windows\system32\drivers\x001.sys
2010-04-08 03:03 . 2010-04-08 03:03 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-08 01:50 . 2010-04-08 01:50 503808 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fe4eb18-n\msvcp71.dll
2010-04-08 01:50 . 2010-04-08 01:50 499712 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fe4eb18-n\jmc.dll
2010-04-08 01:50 . 2010-04-08 01:50 348160 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fe4eb18-n\msvcr71.dll
2010-04-08 01:50 . 2010-04-08 01:50 61440 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60e199eb-n\decora-sse.dll
2010-04-08 01:50 . 2010-04-08 01:50 12800 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60e199eb-n\decora-d3d.dll
2010-04-08 01:50 . 2010-04-08 01:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 01:49 . 2010-04-08 01:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-06 21:43 . 2010-04-10 04:34 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-06 21:25 . 2010-04-10 05:18 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-06 21:24 . 2010-04-06 21:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-06 21:24 . 2010-04-06 21:24 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-06 21:23 . 2010-04-06 21:23 -------- d--h--w- c:\windows\PIF
2010-04-06 20:48 . 2010-04-06 20:48 -------- d-----w- C:\_OTM
2010-04-06 13:52 . 2010-04-06 13:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\avG
2010-04-06 12:54 . 2010-04-06 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-05 23:01 . 2010-04-05 23:01 -------- d-----w- c:\program files\CCleaner
2010-04-05 03:28 . 2010-04-05 23:01 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Spybot - Search & Destroy
2010-04-04 21:07 . 2010-04-04 21:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 05:23 . 2010-03-30 05:23 -------- d-----w- C:\VundoFix Backups
2010-03-30 03:52 . 2010-03-30 03:52 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 22:54 . 2009-05-25 23:18 -------- d--h--w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-12 22:44 . 2009-05-06 20:33 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-12 09:41 . 2009-05-06 20:32 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 02:40 . 2010-04-10 02:40 296462 ----a-w- c:\windows\~DF7DD.tmp
2010-04-08 20:56 . 2009-06-25 19:25 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SiteClasses
2010-04-08 20:56 . 2009-06-25 19:25 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Sites
2010-04-08 04:11 . 2010-01-28 01:11 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\GetRightToGo
2010-04-07 15:50 . 2009-05-29 18:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\dvdcss
2010-04-07 04:50 . 2009-11-29 02:34 740864 ----a-w- c:\program files\1033.MST
2010-04-06 12:59 . 2010-04-06 12:59 296462 ----a-w- c:\windows\~DF5E12.tmp
2010-04-06 12:59 . 2010-04-06 12:59 296462 ----a-w- c:\windows\~DF5DF8.tmp
2010-04-06 06:26 . 2009-05-06 21:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\uTorrent
2010-04-06 05:09 . 2010-04-06 05:09 296462 ----a-w- c:\windows\~DFF4FB.tmp
2010-04-06 05:09 . 2010-04-06 05:08 296462 ----a-w- c:\windows\~DFDFF8.tmp
2010-04-06 05:08 . 2010-04-06 05:08 296462 ----a-w- c:\windows\~DFD8DD.tmp
2010-04-05 01:15 . 2009-05-06 21:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Vso
2010-03-30 04:48 . 2010-03-30 04:48 296462 ----a-w- c:\windows\~DFA0DA.tmp
2010-03-29 22:24 . 2009-11-21 18:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 17:31 . 2009-05-06 21:55 -------- d-----w- c:\program files\uTorrent
2010-02-15 19:53 . 2005-11-14 15:28 3649 ----a-w- c:\windows\viassary-hp.reg
2010-01-29 10:46 . 2009-05-14 14:35 52872 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-26 17:08 . 2009-11-27 00:08 162 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2010-01-22 15:21 . 2010-01-22 15:21 696832 ----a-w- c:\windows\isRS-000.tmp
2009-11-29 02:35 . 2009-11-29 02:34 4632 ----a-w- c:\program files\0x0409.ini
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-10-17 20:36 . 2009-05-06 22:03 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-14 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-14 36903]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
lprrint REG_SZ c:\windows\system32\ipsedsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

R2 KillTheHooker;KillTheHooker;c:\documents and settings\Compaq_Owner\Desktop\TDL3 Razor\TizerBruteForceEx.sys [3/18/2010 4:50 PM 22320]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/6/2010 5:25 PM 15944]
S4 Ndit_uued;Ndit_uued;c:\windows\system32\drivers\tosdvd.sys [8/4/2004 3:00 PM 51712]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 19:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8271FAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7d54fc3
\Driver\ACPI -> ACPI.sys @ 0xf7bc7cb8
\Driver\atapi -> atapi.sys @ 0xf7aaa7b4
\Driver\iaStor -> iaStor.sys @ 0xf7aceade
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf795cbc3
PacketIndicateHandler -> NDIS.sys @ 0xf7968b21
SendHandler -> NDIS.sys @ 0xf795cd33
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"=multi:"system32\drivers\iaStor.sys\00system32\drivers\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"=multi:"system32\drivers\iaStor.sys\00system32\drivers\atapi.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1580)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2010-04-12 19:45:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 23:45

Pre-Run: 32,299,835,392 bytes free
Post-Run: 36,461,735,936 bytes free

- - End Of File - - 407C9CB85AA7ECFA6F6751C83B47C9FD
========================================================



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-12 19:53:24
Windows 5.1.2600 Service Pack 2
Running: iwi2lz8g.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\kftyqfow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8271FAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 12 April 2010 - 07:30 PM

Hello.

There appears to be malware in addition to the TDSS infection.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/308106/vdl4-rootkit-google-redirect-aveexe-etc/
    Collect::[59]
    c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
    c:\windows\system32\drivers\x001.sys
    c:\windows\system32\ipsedsvc.dll

    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
    "lprrint"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall


We need to locate a copy of atapi.sys to replace the hijacked one.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

With Regards,
The Panda

Edited by PropagandaPanda, 12 April 2010 - 07:31 PM.


#14 i-hate-rootkits

i-hate-rootkits
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 12 April 2010 - 08:51 PM


So far, so good. (Well, except for the nasties I already have of course. But it feels like we are making progress.)

Here are the two files:


ComboFix 10-04-12.01 - Compaq_Owner 04/12/2010 21:19:11.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.417 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt

file zipped: c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
file zipped: c:\windows\system32\drivers\x001.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Recent\Thumbs.db
C:\Thumbs.db
c:\windows\system32\drivers\x001.sys
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-12 22:40 . 2010-04-12 22:40 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-10 02:39 . 2010-04-10 02:39 -------- d-----w- c:\windows\Thunderbird
2010-04-10 02:39 . 2010-04-10 02:39 -------- d-----w- c:\windows\Mozilla
2010-04-10 02:27 . 2010-04-10 02:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-08 03:03 . 2010-04-08 03:03 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-08 01:50 . 2010-04-08 01:50 503808 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fe4eb18-n\msvcp71.dll
2010-04-08 01:50 . 2010-04-08 01:50 499712 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fe4eb18-n\jmc.dll
2010-04-08 01:50 . 2010-04-08 01:50 348160 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fe4eb18-n\msvcr71.dll
2010-04-08 01:50 . 2010-04-08 01:50 61440 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60e199eb-n\decora-sse.dll
2010-04-08 01:50 . 2010-04-08 01:50 12800 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60e199eb-n\decora-d3d.dll
2010-04-08 01:50 . 2010-04-08 01:50 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 01:49 . 2010-04-08 01:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-06 21:43 . 2010-04-10 04:34 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-06 21:25 . 2010-04-10 05:18 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-06 21:24 . 2010-04-06 21:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-06 21:24 . 2010-04-06 21:24 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-06 21:23 . 2010-04-06 21:23 -------- d--h--w- c:\windows\PIF
2010-04-06 20:48 . 2010-04-06 20:48 -------- d-----w- C:\_OTM
2010-04-06 13:52 . 2010-04-06 13:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\avG
2010-04-06 12:54 . 2010-04-06 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-05 23:01 . 2010-04-05 23:01 -------- d-----w- c:\program files\CCleaner
2010-04-05 03:28 . 2010-04-05 23:01 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Spybot - Search & Destroy
2010-04-04 21:07 . 2010-04-04 21:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 05:23 . 2010-03-30 05:23 -------- d-----w- C:\VundoFix Backups
2010-03-30 03:52 . 2010-03-30 03:52 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 22:54 . 2009-05-25 23:18 -------- d--h--w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-12 22:44 . 2009-05-06 20:33 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-12 09:41 . 2009-05-06 20:32 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 02:40 . 2010-04-10 02:40 296462 ----a-w- c:\windows\~DF7DD.tmp
2010-04-08 20:56 . 2009-06-25 19:25 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SiteClasses
2010-04-08 20:56 . 2009-06-25 19:25 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Sites
2010-04-08 04:11 . 2010-01-28 01:11 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\GetRightToGo
2010-04-07 15:50 . 2009-05-29 18:59 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\dvdcss
2010-04-07 04:50 . 2009-11-29 02:34 740864 ----a-w- c:\program files\1033.MST
2010-04-06 12:59 . 2010-04-06 12:59 296462 ----a-w- c:\windows\~DF5E12.tmp
2010-04-06 12:59 . 2010-04-06 12:59 296462 ----a-w- c:\windows\~DF5DF8.tmp
2010-04-06 06:26 . 2009-05-06 21:55 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\uTorrent
2010-04-06 05:09 . 2010-04-06 05:09 296462 ----a-w- c:\windows\~DFF4FB.tmp
2010-04-06 05:09 . 2010-04-06 05:08 296462 ----a-w- c:\windows\~DFDFF8.tmp
2010-04-06 05:08 . 2010-04-06 05:08 296462 ----a-w- c:\windows\~DFD8DD.tmp
2010-04-05 01:15 . 2009-05-06 21:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Vso
2010-03-30 04:48 . 2010-03-30 04:48 296462 ----a-w- c:\windows\~DFA0DA.tmp
2010-03-29 22:24 . 2009-11-21 18:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 17:31 . 2009-05-06 21:55 -------- d-----w- c:\program files\uTorrent
2010-02-15 19:53 . 2005-11-14 15:28 3649 ----a-w- c:\windows\viassary-hp.reg
2010-01-29 10:46 . 2009-05-14 14:35 52872 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-26 17:08 . 2009-11-27 00:08 162 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2010-01-22 15:21 . 2010-01-22 15:21 696832 ----a-w- c:\windows\isRS-000.tmp
2009-11-29 02:35 . 2009-11-29 02:34 4632 ----a-w- c:\program files\0x0409.ini
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-10-17 20:36 . 2009-05-06 22:03 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( SnapShot@2010-04-12_23.38.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-13 01:28 . 2010-04-13 01:28 16384 c:\windows\Temp\Perflib_Perfdata_780.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-14 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-14 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

R2 KillTheHooker;KillTheHooker;c:\documents and settings\Compaq_Owner\Desktop\TDL3 Razor\TizerBruteForceEx.sys [3/18/2010 4:50 PM 22320]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/6/2010 5:25 PM 15944]
S4 Ndit_uued;Ndit_uued;c:\windows\system32\drivers\tosdvd.sys [8/4/2004 3:00 PM 51712]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 21:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82721AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7d54fc3
\Driver\ACPI -> ACPI.sys @ 0xf7bc7cb8
\Driver\atapi -> atapi.sys @ 0xf7aaa7b4
\Driver\iaStor -> iaStor.sys @ 0xf7aceade
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf795cbc3
PacketIndicateHandler -> NDIS.sys @ 0xf7968b21
SendHandler -> NDIS.sys @ 0xf795cd33
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"=multi:"system32\drivers\iaStor.sys\00system32\drivers\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"=multi:"system32\drivers\iaStor.sys\00system32\drivers\atapi.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1320)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2010-04-12 21:35:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-13 01:35
ComboFix2.txt 2010-04-12 23:45

Pre-Run: 36,467,941,376 bytes free
Post-Run: 36,438,859,776 bytes free

- - End Of File - - 47ADC6AA096A587B5B6189E7761C7606
=============================================================


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:45 on 12/04/2010 by Compaq_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 95360 bytes [23:43 12/04/2010] [09:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys --a--- 96512 bytes [16:17 21/06/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--- 95360 bytes [20:25 06/05/2009] [09:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys ------ 95360 bytes [20:25 06/05/2009] [09:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-



#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 13 April 2010 - 03:34 PM

Hello i-hate-rootkits.

Let's replace that infected system file now.

Create Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    CODE
    REN C:\WINDOWS\system32\drivers\atapi.sys C:\WINDOWS\system32\drivers\atapi.sys.bak
    COPY C:\WINDOWS\ERDNT\cache\atapi.sys C:\WINDOWS\system32\drivers\atapi.sys
  • Click File, then Save As... .
  • Navigate to C:\Windows
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input moveit.bat
  • Hit OK.

Replace File from Recovery Console
Shutdown your computer. Start it again.
After hearing the beep, tap the F8 key repeatitively until you see the boot selection screen.
Use the arrow keys to select "Microsoft Windows Recovery Console" and hit Enter.
You will be asked which installation you want to log into. This is usually 1 - C:\WINDOWS. Type 1 followed by Enter.
Type the following lines each followed by Enter.
CODE
BATCH moveit.bat
EXIT

You should see a message saying 1 file(s) copied. If you do not, post back with the error message.

Allow your computer to restart normally.

Follow up with a new scan from GMER please. Also run ComboFix again just by clicking on its icon and post back the resulting log.

With Regards,
The Panda

Edited by PropagandaPanda, 13 April 2010 - 03:34 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users