Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit TDSSKiller won't Cure


  • This topic is locked This topic is locked
34 replies to this topic

#1 elengineerio

elengineerio

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 09 December 2010 - 06:23 PM

I am having problems with a rootkit and used TDSSKiller previously to cure it, but now it seems like another variation has appeared and TDSSkiller sees it but doesn't cure it.
Following the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" I am posting the DDS.txt and GMER files and attaching the ATTACH.txt file.
Any help would be appreciated

DDS (Ver_10-11-10.01) - NTFSx86
Run by HP_Owner at 17:01:22.95 on Thu 12/09/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.614 [GMT -6:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\AOL\1188700288\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\HP_Owner\Desktop\Defogger.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uWindow Title =
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mWindow Title =
BHO: AutorunsDisabled - No File
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [LWBMOUSE] "c:\program files\tech\wheel mouse\5.0\MOUSE32A.EXE"
mRun: [HostManager] c:\program files\common files\aol\1188700288\ee\AOLSoftware.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrad.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.sharegear.com/install/setup.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxps://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124070782015
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - hxxp://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289328473375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxps://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15034/CTPID.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {927E1ED5-CA30-418E-AD03-13B7DA4B46BD} - rundll32.exe "c:\documents and settings\hp_owner\application data\sun\fuvvn.dll", UnregisterDll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\fwhvw3uy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-9 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-9 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-9 40384]
R2 GhostLpt;GhostLpt;c:\windows\system32\drivers\GhostLpt.sys [2004-11-24 9344]
R2 sympxchm;sympxchm;c:\windows\system32\drivers\sympxchm.sys [2004-12-4 19741]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-9 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-9 40384]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [2008-11-15 183680]
S3 sympusb;sympusb;c:\windows\system32\drivers\sympusb.sys [2004-12-4 121700]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-13 24652]

=============== Created Last 30 ================

2010-12-09 18:31:08 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-07 16:44:25 -------- d-----w- c:\windows\524228C9826F4B589E474F2E5C7E9F45.TMP
2010-11-11 19:29:57 -------- d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x862C7735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862cd990]; MOV EAX, [0x862cda0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86348AB8]
3 CLASSPNP[0xF756FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000067[0x863859E8]
5 ACPI[0xF74E6620] -> nt!IofCallDriver[0x804E37D5] -> [0x8634FD98]
\Driver\atapi[0x86307610] -> IRP_MJ_CREATE -> 0x862C7735
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459383536514535202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x862C757B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 17:03:11.17 ===============

DDS (Ver_10-11-10.01) - NTFSx86
Run by HP_Owner at 17:01:22.95 on Thu 12/09/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.614 [GMT -6:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\AOL\1188700288\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\HP_Owner\Desktop\Defogger.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uWindow Title =
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mWindow Title =
BHO: AutorunsDisabled - No File
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [LWBMOUSE] "c:\program files\tech\wheel mouse\5.0\MOUSE32A.EXE"
mRun: [HostManager] c:\program files\common files\aol\1188700288\ee\AOLSoftware.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrad.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.sharegear.com/install/setup.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxps://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124070782015
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - hxxp://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289328473375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxps://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15034/CTPID.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {927E1ED5-CA30-418E-AD03-13B7DA4B46BD} - rundll32.exe "c:\documents and settings\hp_owner\application data\sun\fuvvn.dll", UnregisterDll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\fwhvw3uy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-9 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-9 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-9 40384]
R2 GhostLpt;GhostLpt;c:\windows\system32\drivers\GhostLpt.sys [2004-11-24 9344]
R2 sympxchm;sympxchm;c:\windows\system32\drivers\sympxchm.sys [2004-12-4 19741]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-9 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-9 40384]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [2008-11-15 183680]
S3 sympusb;sympusb;c:\windows\system32\drivers\sympusb.sys [2004-12-4 121700]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-13 24652]

=============== Created Last 30 ================

2010-12-09 18:31:08 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-07 16:44:25 -------- d-----w- c:\windows\524228C9826F4B589E474F2E5C7E9F45.TMP
2010-11-11 19:29:57 -------- d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x862C7735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862cd990]; MOV EAX, [0x862cda0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86348AB8]
3 CLASSPNP[0xF756FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000067[0x863859E8]
5 ACPI[0xF74E6620] -> nt!IofCallDriver[0x804E37D5] -> [0x8634FD98]
\Driver\atapi[0x86307610] -> IRP_MJ_CREATE -> 0x862C7735
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459383536514535202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x862C757B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 17:03:11.17 ===============

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:03 PM

Posted 09 December 2010 - 07:19 PM

Hello elengineerio ,

Posted Image

Let's see if we can get it this way :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to .exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 elengineerio

elengineerio
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 10 December 2010 - 01:23 PM

Combifix seemed to run without a hitch. Had one popup at the end from windows something about running program as a dll. I never send reports to microsoft.
Anyway here is the log file from Combifix. It did report finding a TDL3 rootkit while it was running. I disabled avast before running it. It deleted all the extra antivirus programs it found during the scan. My question now is the rootkit dead and gone or just quarantined? Will it come back? Any suggestions about how to prevent future infections of this type? Thanks.
ComboFix 10-12-08.04 - HP_Owner 12/10/2010 11:50:17.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.662 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Antivirus
c:\program files\Antivirus\applesauce.com
c:\program files\Antivirus\dds.scr
c:\program files\Antivirus\Defogger.exe
c:\program files\Antivirus\eulatdss.txt
c:\program files\Antivirus\eulazbot.txt
c:\program files\Antivirus\gmer.exe
c:\program files\Antivirus\ZBotKiller.exe
c:\windows\Downloaded Program Files\setup.dll
c:\windows\system32\winsusrm.dll
c:\windows\system32\zip32.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_NPF
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.

2010-12-09 18:31 . 2010-12-09 18:59 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-09 17:25 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-12-09 17:24 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-07 16:44 . 2010-12-07 16:45 -------- d-----w- c:\windows\524228C9826F4B589E474F2E5C7E9F45.TMP
2010-11-11 19:29 . 2010-11-11 19:30 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-02 04:12 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-09-02 04:12 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"VTTimer"="VTTimer.exe" [2004-03-27 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 357376]
"HostManager"="c:\program files\Common Files\AOL\1188700288\ee\AOLSoftware.exe" [2008-06-24 41824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
2005-01-06 20:04 1466368 ----a-w- c:\program files\Spyware Doctor\swdoctor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/9/2010 9:08 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/9/2010 9:08 AM 17744]
R2 GhostLpt;GhostLpt;c:\windows\system32\drivers\GhostLpt.sys [11/24/2004 10:06 AM 9344]
R2 sympxchm;sympxchm;c:\windows\system32\drivers\sympxchm.sys [12/4/2004 8:45 PM 19741]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [11/15/2008 10:46 AM 183680]
S3 sympusb;sympusb;c:\windows\system32\drivers\sympusb.sys [12/4/2004 8:43 PM 121700]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/13/2007 5:16 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{927E1ED5-CA30-418E-AD03-13B7DA4B46BD}]
2010-12-09 20:00 57344 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\fuvvn.dll
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-12-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-21 14:42]

2010-12-10 c:\windows\Tasks\User_Feed_Synchronization-{6B0CBF13-DE1E-4251-B508-DAB4B769A2DD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mWindow Title =
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrad.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\fwhvw3uy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
AddRemove-Xerox XK Series Print - c:\windows\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 12:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x862F1735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862f7990]; MOV EAX, [0x862f7a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86336AB8]
3 CLASSPNP[0xF7578FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000069[0x863809E8]
5 ACPI[0xF74EF620] -> nt!IofCallDriver[0x804E37D5] -> [0x863CD940]
\Driver\atapi[0x863CC1A8] -> IRP_MJ_CREATE -> 0x862F1735
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459383536514535202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x862F157B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3636)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Tech\Wheel Mouse\5.0\MOUDL32A.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\snmp.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\VTTimer.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2010-12-10 12:10:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-10 18:10

Pre-Run: 57,509,724,160 bytes free
Post-Run: 57,713,057,792 bytes free

- - End Of File - - D041BC61AF05DE778094C8BABC938AEC

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:03 PM

Posted 10 December 2010 - 01:44 PM

Hello,

Hold on.....not done here, so I really can't answer your question just yet.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 elengineerio

elengineerio
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 11 December 2010 - 11:49 AM

Okay this part went but not without a hitch. The first time I ran the MBAM I managed to get the computer locked up and the Generic Host Proces for Win32 Services message. I had to manually shut the computer down and rebooted it and ran MBAM a second time with no problems. The log it produced is shown below. Are we there yet??
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5295

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/11/2010 10:29:46 AM
mbam-log-2010-12-11 (10-29-46).txt

Scan type: Quick scan
Objects scanned: 143218
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:03 PM

Posted 11 December 2010 - 01:38 PM

Hi there,

How is it running today?

Keep an eye on it and let me know.....the logs say "maybe" tdl3, but I'm not seeing anything being removed or reported indicating that you do have it now. I see you dealt with Whitesmoke...that's a sure indicator, even though the program itself is actually legit, that you did have a tdl infection.

Let's do some things we need to do anyway and see how it's going after that :

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Those old versions also take up a ton of space! Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 elengineerio

elengineerio
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 11 December 2010 - 03:36 PM

Well Tea, I really haven't used it too much to tell how its running but I think it may still be screwed up. I couldn't unistall Combofix using your instructions or any other way for that matter. The computer couldn't find Combofix from the run menu. When I browsed to the desktop it wouldn't recognize the program. I finally went to the command prompt and tried to unistall via the command line.....but I ended up running Combofix all over again. It found a TDL3 rootkit again. I'll post the log at the end of this post.
I'm as bumfuzzled as ever. In the meantime I'll update the Jave Runtime Environment.

ComboFix 10-12-08.04 - HP_Owner 12/11/2010 14:18:18.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.664 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: /unistall
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.

2010-12-09 18:31 . 2010-12-09 18:59 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-09 17:25 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-12-09 17:24 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-07 16:44 . 2010-12-07 16:45 -------- d-----w- c:\windows\524228C9826F4B589E474F2E5C7E9F45.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-30 17:22 . 2009-09-28 00:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 17:22 . 2009-09-28 00:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 17:23 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-02 04:12 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-09-02 04:12 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-12-10_18.04.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-11 20:16 . 2010-12-11 20:16 16384 c:\windows\Temp\Perflib_Perfdata_13c.dat
- 2010-12-10 17:48 . 2010-12-10 17:48 16384 c:\windows\Temp\Perflib_Perfdata_13c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"VTTimer"="VTTimer.exe" [2004-03-27 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 357376]
"HostManager"="c:\program files\Common Files\AOL\1188700288\ee\AOLSoftware.exe" [2008-06-24 41824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
2005-01-06 20:04 1466368 ----a-w- c:\program files\Spyware Doctor\swdoctor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/9/2010 9:08 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/9/2010 9:08 AM 17744]
R2 GhostLpt;GhostLpt;c:\windows\system32\drivers\GhostLpt.sys [11/24/2004 10:06 AM 9344]
R2 sympxchm;sympxchm;c:\windows\system32\drivers\sympxchm.sys [12/4/2004 8:45 PM 19741]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [11/15/2008 10:46 AM 183680]
S3 sympusb;sympusb;c:\windows\system32\drivers\sympusb.sys [12/4/2004 8:43 PM 121700]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/13/2007 5:16 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{927E1ED5-CA30-418E-AD03-13B7DA4B46BD}]
2010-12-09 20:00 57344 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\fuvvn.dll
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-12-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-21 14:42]

2010-12-11 c:\windows\Tasks\User_Feed_Synchronization-{6B0CBF13-DE1E-4251-B508-DAB4B769A2DD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mWindow Title =
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrad.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\fwhvw3uy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x862E0735]<<
c:\docume~1\HP_Owner\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862e6990]; MOV EAX, [0x862e6a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86354AB8]
3 CLASSPNP[0xF756FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000068[0x863239E8]
5 ACPI[0xF74E6620] -> nt!IofCallDriver[0x804E37D5] -> [0x86322D98]
\Driver\atapi[0x86388240] -> IRP_MJ_CREATE -> 0x862E0735
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459383536514535202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x862E057B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-11 14:32:44
ComboFix-quarantined-files.txt 2010-12-11 20:32
ComboFix2.txt 2010-12-10 18:10

Pre-Run: 57,662,349,312 bytes free
Post-Run: 57,667,600,384 bytes free

- - End Of File - - DC209E4AE05B2860A097CF5F7465053F

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:03 PM

Posted 11 December 2010 - 05:50 PM

Okay.....well, first, you didn't spell it right :

/unistall

I'm going to make an assumption based on experience and just try something.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FCOPY::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 elengineerio

elengineerio
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 12 December 2010 - 03:44 PM

Bustted!
Why is always the user's fault and never the bleeping computer. Well at least I was consistent. BTW the rootkit seems to be firmly in place. Google is my homepage and clicking on a search brings up a surprise every time now. I tried using Mozilla and I got audio popups with every search click. I also might mention because it might be a problem that I installed a program called SafeHouse Explorer. It was supposed to keep data in an encrypted spot on your drive where it would be safe from anyone without a password. It wasn't what I wanted and I uninstalled it but I think it left some kind of remnant on the drive. I've been using my laptop (which is not infected) for our communications. I've been transfering the programs etc to the desktop (which is infected) with USB drive. I was thinking that your latest instruction would require something different but on second appraisal it should be easy to do. I'll post the results in my next reply. Thanks for your help.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:03 PM

Posted 12 December 2010 - 04:16 PM

You're most welcome.....post when you're ready. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 elengineerio

elengineerio
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 12 December 2010 - 05:21 PM

Here is the scan. I read up on the atapi.sys rootkit while the scan was running. Looks like a good bet but while Combofix keeps finding a TDL3 rootkit it never seems to kill it.

ComboFix 10-12-08.04 - HP_Owner 12/12/2010 15:58:54.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.656 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\5xw2iyD2.exe
c:\hp\KBD\KBD.EXE
c:\program files\Common Files\AOL\1188700288\ee\AOLSoftware.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
c:\windows\Fonts\Gjqax7rGY.com
c:\windows\SMINST\RECGUARD.EXE
c:\windows\system\hpsysdrv .DAT
c:\windows\system\hpsysdrv .exe
c:\windows\system\hpsysdrv.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.

2010-12-11 20:47 . 2010-12-11 20:47 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 20:46 . 2010-12-11 20:45 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 20:46 . 2010-12-11 20:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-11 20:46 . 2010-12-11 20:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-09 18:31 . 2010-12-09 18:59 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-09 17:25 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-12-09 17:24 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-07 16:44 . 2010-12-07 16:45 -------- d-----w- c:\windows\524228C9826F4B589E474F2E5C7E9F45.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-11 21:05 . 2004-08-07 20:01 42500 ----a-w- c:\windows\system32\VTTimer.exe
2010-11-30 17:22 . 2009-09-28 00:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 17:22 . 2009-09-28 00:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 17:23 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-02 04:12 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-09-02 04:12 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42.dll
.
<pre>
c:\program files\Common Files\AOL\1188700288\ee\AOLSoftware .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A .exe
c:\windows\SMINST\RECGUARD .exe
c:\windows\system32\VTTimer .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-12-10_18.04.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-12 21:56 . 2010-12-12 21:56 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat
+ 2010-12-12 21:56 . 2010-12-12 21:56 16384 c:\windows\Temp\Perflib_Perfdata_178.dat
+ 2004-08-04 05:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2010-12-11 20:46 . 2010-12-11 20:45 153376 c:\windows\system32\javaws.exe
+ 2010-12-11 20:46 . 2010-12-11 20:45 145184 c:\windows\system32\javaw.exe
+ 2010-12-11 20:46 . 2010-12-11 20:45 145184 c:\windows\system32\java.exe
+ 2010-12-11 20:47 . 2010-12-11 20:47 180224 c:\windows\Installer\38aa6.msi
+ 2010-12-11 20:45 . 2010-12-11 20:45 677376 c:\windows\Installer\38aa0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [N/A]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [N/A]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [N/A]
"VTTimer"="VTTimer.exe" [2010-12-11 42500]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [N/A]
"HostManager"="c:\program files\Common Files\AOL\1188700288\ee\AOLSoftware.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
2005-01-06 20:04 1466368 ----a-w- c:\program files\Spyware Doctor\swdoctor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/9/2010 9:08 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/9/2010 9:08 AM 17744]
R2 GhostLpt;GhostLpt;c:\windows\system32\drivers\GhostLpt.sys [11/24/2004 10:06 AM 9344]
R2 sympxchm;sympxchm;c:\windows\system32\drivers\sympxchm.sys [12/4/2004 8:45 PM 19741]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [11/15/2008 10:46 AM 183680]
S3 sympusb;sympusb;c:\windows\system32\drivers\sympusb.sys [12/4/2004 8:43 PM 121700]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/13/2007 5:16 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{927E1ED5-CA30-418E-AD03-13B7DA4B46BD}]
2010-12-09 20:00 57344 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\fuvvn.dll
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-12-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-21 14:42]

2010-12-12 c:\windows\Tasks\User_Feed_Synchronization-{6B0CBF13-DE1E-4251-B508-DAB4B769A2DD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mWindow Title =
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrad.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\fwhvw3uy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
.
- - - - ORPHANS REMOVED - - - -

AddRemove-KBD - c:\hp\KBD\KBD.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x862E0735]<<
c:\docume~1\HP_Owner\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862e6990]; MOV EAX, [0x862e6a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86354AB8]
3 CLASSPNP[0xF756FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000068[0x8634B9E8]
5 ACPI[0xF74E6620] -> nt!IofCallDriver[0x804E37D5] -> [0x86322D98]
\Driver\atapi[0x863842B8] -> IRP_MJ_CREATE -> 0x862E0735
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459383536514535202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x862E057B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-12 16:14:06
ComboFix-quarantined-files.txt 2010-12-12 22:14
ComboFix2.txt 2010-12-11 20:32
ComboFix3.txt 2010-12-10 18:10

Pre-Run: 57,526,530,048 bytes free
Post-Run: 57,517,502,464 bytes free

- - End Of File - - E2571A9E28D8B7FE1E7489485DAFABE7

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:03 PM

Posted 12 December 2010 - 05:31 PM

Hello,

Please visit the online Jotti Virus Scanner Posted Image<--link
  • Copy and paste the following filepath in the box:

    c:\documents and settings\HP_Owner\Application Data\Sun\fuvvn.dll
  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

RENV::
c:\program files\Common Files\AOL\1188700288\ee\AOLSoftware .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A .exe
c:\windows\SMINST\RECGUARD .exe
c:\windows\system32\VTTimer .exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 elengineerio

elengineerio
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 12 December 2010 - 10:07 PM

The JottiScan was negative.....see results below. The Combifix Scan Log is posted after the JottiScan results. We don't seem to making much headway but like Thomas Edison we now know several things that it isn't. Keep the faith.

Filename: fuvvn.dll
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Thu 9 Dec 2010 20:22:27 (CET) Permalink

ComboFix 10-12-08.04 - HP_Owner 12/12/2010 20:49:21.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.660 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-11-13 to 2010-12-13 )))))))))))))))))))))))))))))))
.

2010-12-11 20:47 . 2010-12-11 20:47 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 20:46 . 2010-12-11 20:45 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 20:46 . 2010-12-11 20:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-11 20:46 . 2010-12-11 20:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-09 18:31 . 2010-12-09 18:59 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-09 17:25 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-12-09 17:24 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-07 16:44 . 2010-12-07 16:45 -------- d-----w- c:\windows\524228C9826F4B589E474F2E5C7E9F45.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-30 17:22 . 2009-09-28 00:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 17:22 . 2009-09-28 00:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 17:23 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-02 04:12 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-09-02 04:12 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42.dll
.
<pre>
c:\program files\QuickTime\qttask        .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-12-10_18.04.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-13 02:47 . 2010-12-13 02:47 16384 c:\windows\Temp\Perflib_Perfdata_188.dat
+ 2010-12-13 02:47 . 2010-12-13 02:47 16384 c:\windows\Temp\Perflib_Perfdata_100.dat
+ 2004-08-04 05:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2010-12-11 20:46 . 2010-12-11 20:45 153376 c:\windows\system32\javaws.exe
+ 2010-12-11 20:46 . 2010-12-11 20:45 145184 c:\windows\system32\javaw.exe
+ 2010-12-11 20:46 . 2010-12-11 20:45 145184 c:\windows\system32\java.exe
+ 2010-12-11 20:47 . 2010-12-11 20:47 180224 c:\windows\Installer\38aa6.msi
+ 2010-12-11 20:45 . 2010-12-11 20:45 677376 c:\windows\Installer\38aa0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [N/A]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [N/A]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"VTTimer"="VTTimer.exe" [2004-03-27 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 357376]
"HostManager"="c:\program files\Common Files\AOL\1188700288\ee\AOLSoftware.exe" [2008-06-24 41824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
2005-01-06 20:04 1466368 ----a-w- c:\program files\Spyware Doctor\swdoctor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/9/2010 9:08 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/9/2010 9:08 AM 17744]
R2 GhostLpt;GhostLpt;c:\windows\system32\drivers\GhostLpt.sys [11/24/2004 10:06 AM 9344]
R2 sympxchm;sympxchm;c:\windows\system32\drivers\sympxchm.sys [12/4/2004 8:45 PM 19741]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [11/15/2008 10:46 AM 183680]
S3 sympusb;sympusb;c:\windows\system32\drivers\sympusb.sys [12/4/2004 8:43 PM 121700]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/13/2007 5:16 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{927E1ED5-CA30-418E-AD03-13B7DA4B46BD}]
2010-12-09 20:00 57344 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\fuvvn.dll
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-12-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-21 14:42]

2010-12-12 c:\windows\Tasks\User_Feed_Synchronization-{6B0CBF13-DE1E-4251-B508-DAB4B769A2DD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mWindow Title =
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrad.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\fwhvw3uy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 20:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x862E0735]<<
c:\docume~1\HP_Owner\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862e6990]; MOV EAX, [0x862e6a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86354AB8]
3 CLASSPNP[0xF756FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000068[0x8634B9E8]
5 ACPI[0xF74E6620] -> nt!IofCallDriver[0x804E37D5] -> [0x86322D98]
\Driver\atapi[0x863842B8] -> IRP_MJ_CREATE -> 0x862E0735
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459383536514535202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x862E057B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-12 21:03:05
ComboFix-quarantined-files.txt 2010-12-13 03:03
ComboFix2.txt 2010-12-12 22:14
ComboFix3.txt 2010-12-11 20:32
ComboFix4.txt 2010-12-10 18:10

Pre-Run: 57,510,207,488 bytes free
Post-Run: 57,500,966,912 bytes free

- - End Of File - - CD26A7ED42090AF643B358E54F1D36C1

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:03 PM

Posted 13 December 2010 - 05:24 PM

Hello,


* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

FILE::
c:\documents and settings\HP_Owner\Application Data\Sun\fuvvn.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 elengineerio

elengineerio
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 13 December 2010 - 07:42 PM

We got an error window at the end of ComboFix........ the program you wanted to load couldn't be located. Here is the ComboFix scan.

ComboFix 10-12-08.04 - HP_Owner 12/13/2010 18:09:58.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.660 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\documents and settings\HP_Owner\Application Data\Sun\fuvvn.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Application Data\Sun\fuvvn.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.

2010-12-11 20:47 . 2010-12-11 20:47 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 20:46 . 2010-12-11 20:45 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 20:46 . 2010-12-11 20:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-11 20:46 . 2010-12-11 20:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-09 18:31 . 2010-12-09 18:59 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-09 17:25 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-12-09 17:24 . 2010-12-09 17:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-07 16:44 . 2010-12-07 16:45 -------- d-----w- c:\windows\524228C9826F4B589E474F2E5C7E9F45.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-30 17:22 . 2009-09-28 00:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 17:22 . 2009-09-28 00:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 17:23 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-02 04:12 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-09-02 04:12 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-07 18:46 974848 ----a-w- c:\windows\system32\mfc42.dll
.
<pre>
c:\program files\QuickTime\qttask        .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-12-10_18.04.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-14 00:07 . 2010-12-14 00:07 16384 c:\windows\Temp\Perflib_Perfdata_e8.dat
+ 2010-12-14 00:07 . 2010-12-14 00:07 16384 c:\windows\Temp\Perflib_Perfdata_170.dat
+ 2004-08-04 05:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2010-12-11 20:46 . 2010-12-11 20:45 153376 c:\windows\system32\javaws.exe
+ 2010-12-11 20:46 . 2010-12-11 20:45 145184 c:\windows\system32\javaw.exe
+ 2010-12-11 20:46 . 2010-12-11 20:45 145184 c:\windows\system32\java.exe
+ 2010-12-11 20:47 . 2010-12-11 20:47 180224 c:\windows\Installer\38aa6.msi
+ 2010-12-11 20:45 . 2010-12-11 20:45 677376 c:\windows\Installer\38aa0.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [N/A]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [N/A]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"VTTimer"="VTTimer.exe" [2004-03-27 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 357376]
"HostManager"="c:\program files\Common Files\AOL\1188700288\ee\AOLSoftware.exe" [2008-06-24 41824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
2005-01-06 20:04 1466368 ----a-w- c:\program files\Spyware Doctor\swdoctor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/9/2010 9:08 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/9/2010 9:08 AM 17744]
R2 GhostLpt;GhostLpt;c:\windows\system32\drivers\GhostLpt.sys [11/24/2004 10:06 AM 9344]
R2 sympxchm;sympxchm;c:\windows\system32\drivers\sympxchm.sys [12/4/2004 8:45 PM 19741]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [11/15/2008 10:46 AM 183680]
S3 sympusb;sympusb;c:\windows\system32\drivers\sympusb.sys [12/4/2004 8:43 PM 121700]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/13/2007 5:16 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{927E1ED5-CA30-418E-AD03-13B7DA4B46BD}]
c:\documents and settings\HP_Owner\Application Data\Sun\fuvvn.dll [N/A]
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-12-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-21 14:42]

2010-12-13 c:\windows\Tasks\User_Feed_Synchronization-{6B0CBF13-DE1E-4251-B508-DAB4B769A2DD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mWindow Title =
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrad.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\fwhvw3uy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-13 18:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y160P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x862E0735]<<
c:\docume~1\HP_Owner\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862e6990]; MOV EAX, [0x862e6a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86354AB8]
3 CLASSPNP[0xF756FFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000068[0x8634B9E8]
5 ACPI[0xF74E6620] -> nt!IofCallDriver[0x804E37D5] -> [0x86322D98]
\Driver\atapi[0x863842B8] -> IRP_MJ_CREATE -> 0x862E0735
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskMaxtor_6Y160P0__________________________YAR41BW0#3459383536514535202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x862E057B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-13 18:23:51
ComboFix-quarantined-files.txt 2010-12-14 00:23
ComboFix2.txt 2010-12-13 03:03
ComboFix3.txt 2010-12-12 22:14
ComboFix4.txt 2010-12-11 20:32
ComboFix5.txt 2010-12-13 23:48

Pre-Run: 57,465,597,952 bytes free
Post-Run: 57,456,136,192 bytes free

- - End Of File - - E497874DFB46FD50BB7DBCEFE6CB9EE0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users