Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL3 Rootkit Removal (Pls. disregard other post) SORRY!


  • This topic is locked This topic is locked
3 replies to this topic

#1 nait

nait

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 23 July 2010 - 12:00 AM

i was having problems uploading my log file earlier. my browser was going all over the place.

i have an infection of the TDL3 rootkit virus and i don't know how to properly get rid of it.

right now i have SpybotS&D, Panda Cloud AV and Windows Defender running. I was running Avira before but it couldn't find it so i installed Panda. I've also tried using ComboFix, Rootkit Revealer, etc. The only thing that could detect it is the Hitman Pro and it displays the message:

"The device stack of the hard disk is referencing a hidden driver. This could affect the detection of malicious files." but Hitman Pro can't remove it.

I tried the online scans from Panda, HouseCall, and the Microsoft online scanner. None worked and my browser still get redirected, especially if I try to go to a microsoft website.

here's my log from HijackThis.
thanks very much for your help. i read the requirements for this board. i'll run DDS and GMER as ASAP.
thanks in advance.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:06:05 PM, on 22/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32ZoneLabsvsmon.exe
C:WINDOWSExplorer.EXE
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:Program FilesPanda SecurityPanda Cloud AntivirusPSANHost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesHewlett-PackardSharedhpqwmiex.exe
C:Program FilesCitrixICA Clientconcentr.exe
C:Program FilesZoneAlarmzlclient.exe
C:Program FilesPanda SecurityPanda Cloud AntivirusPSUNMain.exe
C:Program FilesCitrixICA Clientwfcrun32.exe
C:Program FilesDSClockDSClock.exe
C:Program FilesChronoShutdownChrono Shutdown.exe
C:Program FilesWeatherWatcherww.exe
C:Program FilesSpyBotS&DInstalledFilesTeaTimer.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:Program FilesPandaUSBVaccineInstalledFilesUSBVaccine.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesWindows DefenderInstalledFilesMsMpEng.exe
C:Program FilesWindows DefenderInstalledFilesMSASCui.exe
C:Program FilesFirefoxfirefox.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSsystem32msiexec.exe
C:Program FilesHiJackThisInstalledFilesTrend MicroHiJackThisHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.ca/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:Program FilesMicrosoft OfficeOffice12GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM..Run: [EPSON Stylus CX3800 Series] C:WINDOWSSystem32spoolDRIVERSW32X863E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM..Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM..Run: [ConnectionCenter] "C:Program FilesCitrixICA Clientconcentr.exe" /startup
O4 - HKLM..Run: [ZoneAlarm Client] "C:Program FilesZoneAlarmzlclient.exe"
O4 - HKLM..Run: [PSUNMain] "C:Program FilesPanda SecurityPanda Cloud AntivirusPSUNMain.exe" /Traybar
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderInstalledFilesMSASCui.exe" -hide
O4 - HKCU..Run: [DS Clock] "C:Program FilesDSClockDSClock.exe"
O4 - HKCU..Run: [Chrono ShutDown] C:Program FilesChronoShutdownChrono Shutdown.exe
O4 - HKCU..Run: [Weather Watcher Live] C:Program FilesWeatherWatcherww.exe
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpyBotS&DInstalledFilesTeaTimer.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [ISUSPM] "C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" -scheduler
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'Default user')
O4 - Startup: PandaUSBVaccine.lnk = C:Program FilesPandaUSBVaccineInstalledFilesUSBVaccine.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~3Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~3Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1257311648156
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1242257125703
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:Program FilesMicrosoft OfficeOffice12GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSSystem32browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSSystem32browseui.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:Program FilesHewlett-PackardSharedhpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:Program FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:Program FilesPanda SecurityPanda Cloud AntivirusPSANHost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:Program FilesRoxioDigital Home 9RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:Program FilesRoxioDigital Home 9RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:WINDOWSSystem32TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:WINDOWSSystem32TUProgSt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:WINDOWSsystem32ZoneLabsvsmon.exe

--
End of file - 8716 bytes

EDIT: Merged data from two posts ~ Hamluis.

Edited by hamluis, 23 July 2010 - 09:55 AM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 nait

nait
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 23 July 2010 - 01:37 PM

hi guys,

i had to run otl instead of the DDS tool because it was not working for me. i think i ran defogger before i made my scan for otl, but the log doesn't say so. i apologize for running combofix prior to this, but i could not get into any microsoft website to get the recovery console. plus i was so desperate because this is my laptop for my school work.

i noticed on the OTL log that my virtual drives are still present. regardless, i think it helped because while i was scanning, panda av isolated and quarantined pev.exe. it also detected and quarantined isenuhec.dll from an earlier scan.

also, the OTL log says i have a drivers folder in Windows/system32 with some funny host addresses. i am tempted to delete this folder, but i will wait for your instructions.

i now manually uninstalled all my virtual drives, disabled my panda av and panda usb av, i disconnected my wired connection to the internet and am now running GMER.

please advise if i need to run OTL again. i will post the GMER log ASAP.

thanks very much again.

Attached Files



#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:17 AM

Posted 30 July 2010 - 05:32 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:17 AM

Posted 04 August 2010 - 05:55 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users