Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.Win32.tdl4


  • This topic is locked This topic is locked
2 replies to this topic

#1 gperrin82

gperrin82

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 15 September 2010 - 04:02 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 16:07:45.18 on Wed 09/15/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.137 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\regedit.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Documents and Settings\Administrator.WORKGROUP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.mapletronics.com/
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/legacy/ractrl.cab?lmi=100
TCP: {96679D84-359B-4A1E-8B5C-02B31B19BB94} = 192.168.200.254
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-11-16 96408]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-14 47640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-09-15 19:21:42 0 d-----w- C:\MGtools
2010-09-15 18:55:09 0 d-----w- c:\program files\trend micro
2010-09-15 18:29:08 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-09-15 18:29:07 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-09-15 18:29:05 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-09-15 18:29:05 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-09-15 18:29:05 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-09-15 18:27:59 19016 -c--a-w- c:\windows\system32\dllcache\w926nd.sys
2010-09-15 18:26:59 53760 -c--a-w- c:\windows\system32\dllcache\sw_wheel.dll
2010-09-15 18:25:58 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-09-15 18:24:58 169984 -c--a-w- c:\windows\system32\dllcache\pcx500.sys
2010-09-15 18:23:58 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-09-15 18:22:56 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-09-15 18:21:59 18560 -c--a-w- c:\windows\system32\dllcache\i2omp.sys
2010-09-15 18:20:58 45568 -c--a-w- c:\windows\system32\dllcache\esunib.dll
2010-09-15 18:19:58 27648 -c--a-w- c:\windows\system32\dllcache\cyzports.dll
2010-09-15 18:18:59 66082 -c--a-w- c:\windows\system32\dllcache\c_20420.nls
2010-09-15 18:17:59 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2010-09-15 15:55:38 0 d-----w- c:\docume~1\admini~1.wor\applic~1\Malwarebytes
2010-09-15 15:02:26 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-15 14:13:09 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15:28 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15:26 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15:26 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 15:03:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041620090417\index.dat

============= FINISH: 16:08:36.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:49 AM

Posted 20 September 2010 - 04:41 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:49 AM

Posted 25 September 2010 - 02:56 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users