Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit (TDL4?)


  • This topic is locked This topic is locked
14 replies to this topic

#1 Moondriven

Moondriven

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 08 November 2010 - 06:34 AM

Hello,

My laptop has been experiencing a few issues, such as:
- randomly opening new tabs in firefox, to sites such as gloablwarmingtray.info, commercialpropertieswanted.com
- popups for downloading "anti-spyware" software
- locking up when restoring from hibernate mode or booting up
- wireless drops to "access point" mode after waking from hibernate
- unable to run firefox at all - process is running but no browser is displayed

I've run MalwareBytes AntiMalware a couple of times and removed some infections (Trojan.Hiloti, Trojan.Dropper, Spyware.Pass words.XGen, Malware.Trace). Performance has improved (no more antispyware, for example), but most of the issues above are still occurring.

I've now followed the steps in the Preparation Guide, and the results are below and attached. Interestingly, GMER seems pretty sure I have a rootkit - TDL4. I'd be grateful for any assistance in removing these issues once and for all!

===============
DDS.txt
===============

DDS (Ver_10-11-08.01) - NTFSx86
Run by Kathryn at 21:21:00.87 on Mon 08/11/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1213 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Kathryn\My Documents\Downloads\HijackThis.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kathryn\My Documents\Downloads\Defogger.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kathryn\My Documents\Downloads\dds.scr
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msi.com.tw/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.msi.com.tw
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [VirtualCloneDrive] "c:\program files\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WatcherHelper] "c:\program files\telstra\telstra turbo connection manager\WaHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225811232578
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kathryn\applic~1\mozilla\firefox\profiles\ahgfoz17.default\
FF - component: c:\documents and settings\kathryn\application data\mozilla\firefox\profiles\ahgfoz17.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-31 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-31 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-31 297752]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2005-3-8 156160]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-29 625792]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2009-2-25 182784]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-2-25 145536]
S4 gupdate1c985ec3de71e72;Google Update Service (gupdate1c985ec3de71e72);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]

=============== Created Last 30 ================

2010-11-07 01:12:00 -------- d-----w- c:\docume~1\kathryn\applic~1\Malwarebytes
2010-11-07 01:11:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-07 01:11:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-07 01:11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-07 01:11:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-07 00:48:30 -------- d-----w- C:\Adobe
2010-10-28 10:30:32 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-10-25 11:27:24 -------- d-----w- c:\docume~1\kathryn\applic~1\Bitrix Security
2010-10-23 23:28:59 -------- d-----w- c:\program files\Utilities

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1200BEVT-22ZCT0 rev.11.01A11 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1200BEVT-22ZCT0___________________11.01A11#5&2ef5f6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89DCA292
user != kernel MBR !!!
sectors 234441646 (+224): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

Registry trace:
called modules: ntkrnlpa.exe hal.dll

============= FINISH: 21:21:57.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:46 AM

Posted 08 November 2010 - 03:57 PM

Good evening. :)

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.

  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 Moondriven

Moondriven
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 09 November 2010 - 05:31 AM

Hi Noviciate - and thanks for you response. Here are the outputs you requested:

==========
MBR_Check
==========

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000002c

Kernel Drivers (total 119):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0x89DA2000 \WINDOWS\system32\KDCOM.DLL
0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4C0000 compbatt.sys
0xBA4C4000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA4C8000 ACPIEC.sys
0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltMgr.sys
0xB9EFF000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EE8000 KSecDD.sys
0xB9E5B000 Ntfs.sys
0xB9E2E000 NDIS.sys
0xB9E14000 Mup.sys
0xB9836000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB9822000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB97FA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB97E0000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xB9747000 \SystemRoot\system32\DRIVERS\RT2860.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9723000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA418000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA428000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA564000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA56C000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA208000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xBA74D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA218000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA574000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB970C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA228000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA238000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA488000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB96D3000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA248000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA4B0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA360000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA258000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA268000 \SystemRoot\system32\DRIVERS\VClone.sys
0xB96BB000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0xBA5B8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9698000 \SystemRoot\system32\DRIVERS\ks.sys
0xB963A000 \SystemRoot\system32\DRIVERS\update.sys
0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA288000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xBA298000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA450000 \SystemRoot\System32\Drivers\ULCDRHlp.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xA907B000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA9057000 \SystemRoot\system32\drivers\portcls.sys
0xBA2C8000 \SystemRoot\system32\drivers\drmk.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5C4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA8F7C000 \SystemRoot\system32\DRIVERS\mozy.sys
0xBA5CA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7B3000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5CE000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA480000 \SystemRoot\System32\drivers\vga.sys
0xBA5D2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5D6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA4A8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA9542000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA8F21000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8EC8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8EA0000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8E7A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA8E58000 \SystemRoot\System32\drivers\afd.sys
0xBA308000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8E2D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8DBD000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA108000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA408000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xBA420000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xA8D6C000 \SystemRoot\System32\Drivers\avgldx86.sys
0xA8D42000 \SystemRoot\System32\Drivers\RTS5121.sys
0xA8FB7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8D02000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5FA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8D2E000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA458000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA714000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBA460000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA8CDE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA893D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA87D3000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8516000 \SystemRoot\system32\drivers\wdmaud.sys
0xA89E2000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7F24000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA3B0000 \??\C:\DOCUME~1\Kathryn\LOCALS~1\Temp\mbr.sys
0xA7125000 \??\C:\DOCUME~1\Kathryn\LOCALS~1\Temp\ugldqpob.sys
0xA7101000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA5F6000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
728 C:\WINDOWS\system32\smss.exe
784 csrss.exe
808 C:\WINDOWS\system32\winlogon.exe
852 C:\WINDOWS\system32\services.exe
864 C:\WINDOWS\system32\lsass.exe
1028 C:\WINDOWS\system32\svchost.exe
1072 svchost.exe
1152 C:\WINDOWS\system32\svchost.exe
1312 svchost.exe
1352 svchost.exe
1572 C:\WINDOWS\system32\spoolsv.exe
1684 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
1744 C:\Program Files\Java\jre6\bin\jqs.exe
1852 C:\Program Files\MozyHome\mozybackup.exe
2012 C:\WINDOWS\system32\svchost.exe
2024 C:\Program Files\AVG\AVG8\avgrsx.exe
156 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
1180 C:\WINDOWS\system32\wuauclt.exe
452 C:\WINDOWS\explorer.exe
1440 C:\WINDOWS\system32\igfxtray.exe
1448 C:\WINDOWS\system32\hkcmd.exe
1280 C:\WINDOWS\system32\igfxpers.exe
1396 C:\WINDOWS\system32\igfxsrvc.exe
1508 C:\WINDOWS\RTHDCPL.exe
1612 C:\PROGRA~1\AVG\AVG8\avgtray.exe
1024 C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
1760 C:\Program Files\Java\jre6\bin\jusched.exe
1132 C:\Program Files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
1792 C:\WINDOWS\system32\ctfmon.exe
1772 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
2056 C:\Program Files\MozyHome\mozystat.exe
2304 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
2444 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
2480 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
2564 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
2820 alg.exe
3752 C:\Program Files\Java\jre6\bin\jucheck.exe
3656 C:\WINDOWS\system32\wuauclt.exe
3744 C:\Documents and Settings\Kathryn\My Documents\Downloads\Defogger.exe
2948 C:\WINDOWS\system32\mshta.exe
3492 C:\Program Files\Internet Explorer\IEXPLORE.EXE
3976 C:\Program Files\Internet Explorer\IEXPLORE.EXE
3924 C:\Program Files\Mozilla Firefox\firefox.exe
944 C:\Program Files\Mozilla Firefox\firefox.exe
2700 C:\Program Files\Mozilla Firefox\plugin-container.exe
3420 C:\Documents and Settings\Kathryn\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`fa08fc00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000a`be62d400 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVT-22ZCT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 536F160BF31D1EA9A0903B1B75563BB4E20A3D65


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

=========
Preformat
=========


BIOS Manufacturer: American Megatrends Inc.
Name: Default System BIOS
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:46 AM

Posted 09 November 2010 - 02:23 PM

Good evening. :)

It looks like the end of the Preformat log got chopped off - will you check it all got posted.

So long, and thanks for all the fish.

 

 


#5 Moondriven

Moondriven
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 09 November 2010 - 03:21 PM

Hi,

Yes, it was all posted, only that much appears in the preformat output. It finishes very quickly and appears to terminate normally (I get the "That's all folks" popup).

I tried rebooting, and also logged in as another use on the same PC, but it's the same result every time

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:46 AM

Posted 09 November 2010 - 04:10 PM

Obviously an issue somewhere, but not to worry.

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.
  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish


  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.

  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#7 Moondriven

Moondriven
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 10 November 2010 - 04:31 AM

Hi,
I've done as you suggested - a rootkit was detected, the cure option was displayed, and hopefully it's been cured. Logfile output is below:

2010/11/10 19:51:35.0796 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2010/11/10 19:51:35.0796 ================================================================================
2010/11/10 19:51:35.0796 SystemInfo:
2010/11/10 19:51:35.0796
2010/11/10 19:51:35.0796 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/10 19:51:35.0796 Product type: Workstation
2010/11/10 19:51:35.0796 ComputerName: KATIE
2010/11/10 19:51:35.0796 UserName: Kathryn
2010/11/10 19:51:35.0796 Windows directory: C:\WINDOWS
2010/11/10 19:51:35.0796 System windows directory: C:\WINDOWS
2010/11/10 19:51:35.0796 Processor architecture: Intel x86
2010/11/10 19:51:35.0796 Number of processors: 2
2010/11/10 19:51:35.0796 Page size: 0x1000
2010/11/10 19:51:35.0796 Boot type: Normal boot
2010/11/10 19:51:35.0796 ================================================================================
2010/11/10 19:51:36.0375 Initialize success
2010/11/10 19:51:40.0109 ================================================================================
2010/11/10 19:51:40.0109 Scan started
2010/11/10 19:51:40.0109 Mode: Manual;
2010/11/10 19:51:40.0109 ================================================================================
2010/11/10 19:51:42.0140 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/10 19:51:42.0171 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/11/10 19:51:42.0281 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/10 19:51:42.0328 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/11/10 19:51:42.0390 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2010/11/10 19:51:42.0656 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/10 19:51:42.0703 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/10 19:51:42.0750 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/10 19:51:42.0828 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/10 19:51:42.0890 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/11/10 19:51:42.0937 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/11/10 19:51:43.0000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/10 19:51:43.0062 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/10 19:51:43.0140 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/10 19:51:43.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/10 19:51:43.0234 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/10 19:51:43.0296 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/10 19:51:43.0359 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/11/10 19:51:43.0421 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/11/10 19:51:43.0625 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/10 19:51:43.0703 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/10 19:51:43.0828 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/10 19:51:43.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/10 19:51:43.0953 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/10 19:51:44.0015 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/10 19:51:44.0078 ElbyCDIO (28cb0b64134ad62c2acf77db8501a619) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2010/11/10 19:51:44.0156 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/10 19:51:44.0250 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/11/10 19:51:44.0296 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/10 19:51:44.0343 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/10 19:51:44.0390 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/11/10 19:51:44.0468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/10 19:51:44.0515 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/10 19:51:44.0578 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/10 19:51:44.0640 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/10 19:51:44.0703 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/10 19:51:44.0828 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/10 19:51:44.0906 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/10 19:51:45.0140 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/11/10 19:51:45.0453 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/10 19:51:45.0781 IntcAzAudAddService (12cd9f66b64b25cbe18f1bb2c6f54832) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/11/10 19:51:45.0937 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/10 19:51:45.0968 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/11/10 19:51:46.0015 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/10 19:51:46.0062 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/10 19:51:46.0125 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/10 19:51:46.0140 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/10 19:51:46.0203 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/10 19:51:46.0265 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/10 19:51:46.0312 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/10 19:51:46.0375 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/10 19:51:46.0406 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/10 19:51:46.0531 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/10 19:51:46.0578 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/10 19:51:46.0640 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/10 19:51:46.0671 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/10 19:51:46.0718 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/10 19:51:46.0781 mozyFilter (4d997a86bdae760aeb8cca4abd54f18e) C:\WINDOWS\system32\DRIVERS\mozy.sys
2010/11/10 19:51:46.0859 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/10 19:51:46.0921 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/10 19:51:46.0984 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/10 19:51:47.0046 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/10 19:51:47.0093 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/10 19:51:47.0125 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/10 19:51:47.0187 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/10 19:51:47.0234 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/10 19:51:47.0265 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/10 19:51:47.0343 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/10 19:51:47.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/10 19:51:47.0437 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/10 19:51:47.0484 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/10 19:51:47.0546 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/10 19:51:47.0593 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/10 19:51:47.0703 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/10 19:51:47.0765 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/10 19:51:47.0812 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/10 19:51:47.0906 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/10 19:51:47.0984 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS
2010/11/10 19:51:48.0093 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/10 19:51:48.0187 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/10 19:51:48.0250 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/10 19:51:48.0296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/10 19:51:48.0390 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/11/10 19:51:48.0437 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/10 19:51:48.0484 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/10 19:51:48.0515 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/10 19:51:48.0562 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/10 19:51:48.0609 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/10 19:51:48.0765 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/10 19:51:48.0843 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/10 19:51:48.0937 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/10 19:51:49.0015 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/10 19:51:49.0281 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/10 19:51:49.0328 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/10 19:51:49.0406 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/10 19:51:49.0453 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/10 19:51:49.0562 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/10 19:51:49.0703 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/10 19:51:49.0828 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/10 19:51:49.0953 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/10 19:51:50.0093 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/11/10 19:51:50.0312 RSUSBSTOR (680a7aba84a7863c89b5440c9c1e0895) C:\WINDOWS\system32\Drivers\RTS5121.sys
2010/11/10 19:51:50.0406 RT80x86 (c67b8075f16280b0fbe412afa4e613e1) C:\WINDOWS\system32\DRIVERS\RT2860.sys
2010/11/10 19:51:50.0562 rtl8187Se (0df1d68f289e07efd054b498d8efbbfd) C:\WINDOWS\system32\DRIVERS\rtl8187Se.sys
2010/11/10 19:51:50.0796 RTLE8023xp (7174f20ad9b7b7878a51ecca03c499c2) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/11/10 19:51:50.0937 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/10 19:51:50.0984 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/11/10 19:51:51.0031 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/11/10 19:51:51.0140 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/10 19:51:51.0203 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/11/10 19:51:51.0296 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/10 19:51:51.0375 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/10 19:51:51.0531 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/10 19:51:51.0718 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/10 19:51:51.0843 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/10 19:51:52.0015 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/10 19:51:52.0109 swmsflt (150ab4fa272130ec55b2a4faebdf47f9) C:\WINDOWS\system32\DRIVERS\swmsflt.sys
2010/11/10 19:51:52.0296 SWNC8UA3 (97cb92274c54c59bcc673fda86ec10d6) C:\WINDOWS\system32\DRIVERS\swnc8ua3.sys
2010/11/10 19:51:52.0781 SWUMXA3 (78b9dad5aa3b65c60d0a61649ca95899) C:\WINDOWS\system32\DRIVERS\swumxa3.sys
2010/11/10 19:51:53.0218 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/10 19:51:53.0343 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/10 19:51:53.0500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/10 19:51:53.0578 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/10 19:51:53.0687 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/10 19:51:53.0890 toshidpt (e362d54fd394999c4178936396664e57) C:\WINDOWS\system32\drivers\Toshidpt.sys
2010/11/10 19:51:54.0015 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys
2010/11/10 19:51:54.0140 tosrfbd (399c5e4db7bdd5a83a7d26c96389b85a) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
2010/11/10 19:51:54.0281 tosrfbnp (181e217a7a326817d97946d045b3cb46) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2010/11/10 19:51:54.0375 Tosrfcom (e90ace3b4fa7a85f992bc21eb779c407) C:\WINDOWS\system32\Drivers\tosrfcom.sys
2010/11/10 19:51:54.0500 Tosrfhid (efc95c0dc6f96b228f58319776006548) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2010/11/10 19:51:54.0593 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2010/11/10 19:51:54.0703 TosRfSnd (156d63f6898e4d95f2962f2b72862868) C:\WINDOWS\system32\drivers\tosrfsnd.sys
2010/11/10 19:51:54.0843 Tosrfusb (98c04a6432ce9c2ad328f57b9384d348) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
2010/11/10 19:51:54.0953 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/10 19:51:55.0093 ULCDRHlp (a4e07da3ae2078bd96e84d4baa07b71d) C:\WINDOWS\system32\Drivers\ULCDRHlp.sys
2010/11/10 19:51:55.0218 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/10 19:51:55.0390 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/10 19:51:55.0468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/10 19:51:55.0531 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/10 19:51:55.0609 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/10 19:51:55.0671 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/10 19:51:55.0750 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/10 19:51:55.0828 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/11/10 19:51:55.0921 VClone (9bf2ea54e5ed5acdf96f1dec84c117c4) C:\WINDOWS\system32\DRIVERS\VClone.sys
2010/11/10 19:51:55.0968 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/10 19:51:56.0046 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/10 19:51:56.0109 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/10 19:51:56.0171 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/10 19:51:56.0265 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/11/10 19:51:56.0375 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/10 19:51:56.0546 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/10 19:51:56.0562 ================================================================================
2010/11/10 19:51:56.0562 Scan finished
2010/11/10 19:51:56.0562 ================================================================================
2010/11/10 19:51:56.0578 Detected object count: 1
2010/11/10 20:21:56.0328 \HardDisk0 - will be cured after reboot
2010/11/10 20:21:56.0328 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/10 20:22:01.0000 Deinitialize success

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:46 AM

Posted 10 November 2010 - 02:34 PM

Good evening. :)

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#9 Moondriven

Moondriven
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 11 November 2010 - 03:13 PM

Hello again!

MBAM discovered two issues, bother were cleaned, one needed a reboot.

When I then ran DDS I got a BSOD and a reboot. On reboot I ran defrogger then tried again - this time it was successful.

Other than that, PC performance seems fine - no web page hijacks, and none of the performance issues from my original post - so things are looking better at this stage! MBAM and DDS outputs are below and attached:

=========
MBAM log
=========
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5095

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/11/2010 6:49:37 AM
mbam-log-2010-11-12 (06-49-37).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 209129
Time elapsed: 41 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{77a5891a-3e3f-bdb5-3ce9-6e814a7a397c} (Trojan.ZbotR.Gen) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kathryn\Application Data\Urylut\pamao.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.


========
DDS.txt
========

DDS (Ver_10-11-08.01) - NTFSx86
Run by Kathryn at 7:01:25.23 on Fri 12/11/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1360 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kathryn\Desktop\Defogger.exe
C:\Documents and Settings\Kathryn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msi.com.tw/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.msi.com.tw
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [VirtualCloneDrive] "c:\program files\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WatcherHelper] "c:\program files\telstra\telstra turbo connection manager\WaHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225811232578
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kathryn\applic~1\mozilla\firefox\profiles\ahgfoz17.default\
FF - component: c:\documents and settings\kathryn\application data\mozilla\firefox\profiles\ahgfoz17.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-31 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-31 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-31 297752]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2005-3-8 156160]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-29 625792]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2009-2-25 182784]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-2-25 145536]
S4 gupdate1c985ec3de71e72;Google Update Service (gupdate1c985ec3de71e72);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]

=============== Created Last 30 ================

2010-11-07 01:12:00 -------- d-----w- c:\docume~1\kathryn\applic~1\Malwarebytes
2010-11-07 01:11:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-07 01:11:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-07 01:11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-07 01:11:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-07 00:48:30 -------- d-----w- C:\Adobe
2010-10-28 10:30:32 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-10-25 11:27:24 -------- d-----w- c:\docume~1\kathryn\applic~1\Bitrix Security
2010-10-23 23:28:59 -------- d-----w- c:\program files\Utilities

==================== Find3M ====================


============= FINISH: 7:02:21.06 ===============

Attached Files



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:46 AM

Posted 11 November 2010 - 03:16 PM

Good evening. :)

The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.
  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#11 Moondriven

Moondriven
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 12 November 2010 - 08:13 AM

Hi there,

I've done as you suggested - but something a little strange did happen, I had another "hijack" to a site I didn't enter!

I stopped the page loading as soon as I realised, and ran TDSSKiller to see if there was an issue, and it found the same problem as before. I selected "Cure" and rebooted, and it now seems fine again (i.e. nothing has been detected by TDSS).

I have no idea why this "reverted" - the only program I've run is Firefox, so this is a little surprising. My wife has been using the computer during the day, and says she's only used it to remote desktop to another PC in the house.

As I said, it all seems fine - but I'll run MBAM and see if it detects anything, and I'll let you know what I find. In the meantime if there's anything else I should do please let me know.

Many thanks for your help so far.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:46 AM

Posted 12 November 2010 - 03:12 PM

Good evening. :)

It's possible we may need to use something a little stronger with this nasty, so let me know if the problem persists after a reboot or two.

So long, and thanks for all the fish.

 

 


#13 Moondriven

Moondriven
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 12 November 2010 - 08:04 PM

Hi,
I haven't seen any of the strange behaviour again as yet. One thing that might be worth mentioning though, is that MBAM didn't find anything new, however my AVG picked up some suspicious looking startup entries and .exe files when MBAM tried to access them - so I've cleaned those using AVG, and did a full scan to make sure they were gone.

I've since run TDSSKiller as well - nothing found, though MBRCheck does say: "Found non-standard or infected MBR".

Anyway, for the moment it's looking OK - but if anything does happen I'll post here.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:46 AM

Posted 14 November 2010 - 03:01 PM

Good evening. :)

Give a day or two and then post one last DDS log and let me know how the PC is behaving. All being well, a little tidy-up and that should be that.

So long, and thanks for all the fish.

 

 


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:46 AM

Posted 19 November 2010 - 07:05 PM

As there has been no reply for over five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users