Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4 bootkit and TDL3 rootkit


  • Please log in to reply
3 replies to this topic

#1 ldemps

ldemps

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 16 March 2011 - 10:12 AM

I believe that I have 2 computers infected with the TDL4 bootkit and TDL3 rootkit. I am in the process of collecting the information needed for analysis, as described in the "Preparation Guide". While I am gathering his information, can someone comment if I need to take any preventive action with the online accounts I access? From what I have read, these two pices f malware are used to send spam and open backdoors for other malware infections. I have not read anything about the bootkit/rootkit containing keyloggers. The presence of a keylogger would spur me to kake immediate action to close/transfer a few accounts. Also, I would like to have additional information concerning how the bootkit and rootkit infect computers. I have several USB storage devices that I used with the infected computers. Is there a high probability that I could infect other computers if I connect these storage devices to them?

LDemps

Below is the DDS.TXT file. Attached are the ATTACH.TXT and ARK.TXT files (in 1 Zipped file).

LDemps

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by LDemps at 16:47:51.96 on Wed 03/16/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2543.1740 [GMT -4:00]
.
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Laplink\Laplink DiskImage\oodiag.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Nuance\PDF Professional 7\pdfpro7hook.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\UTIL\PureText.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Belkin\F7D4101\V1\PBN.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Bleeping Computer Data\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.washingtonpost.com/
mSearch Bar = hxxp://www.earthlink.net/search/
mWindow Title = Microsoft Internet Explorer provided by EarthLink
uInternet Settings,ProxyServer = websense:8080
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uCustomizeSearch =
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - HP Print Enhancer
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:\program files\nuance\pdf professional 7\bin\PlusIEContextMenu.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Strider URL Tracer Class: {b1cc6da6-1341-40c2-9930-086acd067289} - c:\program files\microsoft\msr strider url tracer\UrlTrace.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {B99F805C-F0B1-48EA-8C8B-753BFCBED913} - No File
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PureText] "c:\util\PureText.exe"
uRun: [cdloader] "c:\documents and settings\lawrence dempsey\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] "nwiz.exe" /install
mRun: [ADUserMon] "c:\program files\iomega\autodisk\ADUserMon.exe"
mRun: [Iomega Startup Options] "c:\program files\iomega\common\ImgStart.exe"
mRun: [Iomega Drive Icons] "c:\program files\iomega\driveicons\ImgIcon.exe"
mRun: [Deskup] "c:\program files\iomega\driveicons\deskup.exe"
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [WD Button Manager] "WDBtnMgr.exe"
mRun: [SetIcon] \Program Files\WDC\SetIcon.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PDFHook] c:\program files\nuance\pdf professional 7\pdfpro7hook.exe
mRun: [PDF7 Registry Controller] c:\program files\nuance\pdf professional 7\RegistryController.exe
mRun: [Nuance PDF Converter Professional 7-reminder] "c:\program files\nuance\pdf professional 7\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\pdf converter professional 7\ereg\Ereg.ini"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ecco3e~1.lnk - c:\ecco\ECCO3.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\playwi~1.lnk - c:\program files\belkin\f7d4101\v1\PBN.exe
IE: &Highlight
IE: &Links List
IE: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: I&mages List
IE: Open Frame in &New Window
IE: Open with Nuance PDF Converter 7.0 - c:\program files\nuance\pdf professional 7\cnvres_eng.dll /100
IE: Open with PDF Professional 7 - c:\program files\nuance\pdf professional 7\bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Zoom &In
IE: Zoom O&ut
IE: {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\verizon online\verizon online control pad\VerizonControlPad.Exe
IE: {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/
IE: {E1675C34-8EFD-4005-8911-1032912305C6} - "c:\program files\microsoft\msr strider url tracer\TypoPatroller.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: ppctlcab - hxxp://69.44.122.156/scanner/ppctlcab.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://ssc-web-symn-svca01.symantec.com/avdb001/nav/common/common/bin/AvSniff.cab
DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://69.44.122.156/scanner/axscanner.cab
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://jran.uscourts.gov/whalecombd68af80722ce6939cd78a55ef3e82fe8c1969de0d/whalecom0/iNotes6W.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - hxxps://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118804546375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1118805700015
DPF: {70A89DB7-5EC2-4790-AC34-0018FC2E61CB} - hxxp://officeupdate.microsoft.com/v3content/ouv3is.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {76850F2A-FCAA-454F-82D3-BD46CB186EF5} - hxxp://156.132.84.150/iheat/iHEAT-ActiveX.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://jran.uscourts.gov/InternalSite/WhlCompMgr.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - hxxp://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://jran.uscourts.gov/whalecombd68af80722ce69399d78a55ef3e82fe78c1edc099/whalecom0/dwa8W.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37985.8375810185
DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} - hxxps://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} - hxxp://go.microsoft.com/fwlink/?linkid=49480
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security2.norton.com/avdb001/sa/common/common/bin/cabsa.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.verizon.net/checkmypc/includes/MotivePreQual.cab
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} - hxxp://windowsupdate.microsoft.com/R1044/V31Controls/x86/w98/en/actsetup.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://jran.uscourts.gov/whalecombd68af80722ce6939ed78a55ef3e82fef5171360ce/whalecom0/dwa7W.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://jport.uscourts.gov/dana-cached/setup/JuniperSetupSP1.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /app:oe /caller:ie50 /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /app:wab /caller:ie50 /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
mASetup: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - c:\windows\system32\updcrl.exe -e -u c:\windows\system\verisignpub1.crl
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\lawren~1\applic~1\mozilla\firefox\profiles\bheare8s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\lawrence dempsey\application data\mozilla\firefox\profiles\bheare8s.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\lawrence dempsey\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\lawrence dempsey\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\lawrence dempsey\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\nuance\pdf professional 7\bin\nppdf.dll
FF - plugin: c:\program files\nuance\pdf professional 7\bin\nppdf.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Finjan Secure Browsing: {27a03cf3-856f-46b8-91cb-7289f58c7e6e} - %profile%\extensions\{27a03cf3-856f-46b8-91cb-7289f58c7e6e}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 oodisr;O&O DiskImage Snapshot/Restore Driver;c:\windows\system32\drivers\oodisr.sys [2010-5-27 96352]
R0 oodisrh;oodisrh;c:\windows\system32\drivers\oodisrh.sys [2010-5-27 28768]
R0 oodivd;O&O DiskImage Virtual Devices Driver;c:\windows\system32\drivers\oodivd.sys [2010-5-27 167008]
R0 oodivdh;oodivdh;c:\windows\system32\drivers\oodivdh.sys [2010-5-27 31328]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-6-5 315408]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-3-16 18816]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-3-8 98392]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-4-14 353672]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-1-12 724664]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-1-12 724664]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2008-1-1 70016]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-14 363344]
R2 OO DiskImage;OO DiskImage;c:\program files\laplink\laplink diskimage\oodiag.exe [2010-5-27 2385240]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2009-11-6 642432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-14 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-12 136176]
S2 KillTheHooker;KillTheHooker;\??\i:\tdl3 razor\tdl3 razor\tizerbruteforceex.sys --> i:\tdl3 razor\tdl3 razor\TizerBruteForceEx.sys [?]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?]
S2 WLANBelkinService;Belkin WLAN service;c:\program files\belkin\f7d4101\v1\wlansrv.exe [2009-12-28 36864]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\a.tmp --> c:\windows\system32\A.tmp [?]
S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [2005-1-25 29329]
S3 PortReporter;Port Reporter;c:\program files\portreporter\PortReporter.exe [2004-3-17 90183]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-03-16 20:43:54 -------- d-----w- C:\Bleeping Computer Data
2011-03-16 20:41:05 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2011-03-16 20:41:03 31529 -c--a-w- c:\windows\system32\dllcache\brzwlan.sys
2011-03-16 20:41:02 11008 -c--a-w- c:\windows\system32\dllcache\brusbmdm.sys
2011-03-16 20:41:02 10368 -c--a-w- c:\windows\system32\dllcache\brusbscn.sys
2011-03-16 20:41:01 9728 -c--a-w- c:\windows\system32\dllcache\brserif.dll
2011-03-16 20:41:01 60416 -c--a-w- c:\windows\system32\dllcache\brserwdm.sys
2011-03-16 20:41:00 5120 -c--a-w- c:\windows\system32\dllcache\brscnrsm.dll
2011-03-16 20:39:41 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys
2011-03-16 20:38:48 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2011-03-16 20:37:12 76288 -c--a-w- c:\windows\system32\dllcache\OLD23.tmp
2011-03-16 20:37:11 275968 -c--a-w- c:\windows\system32\dllcache\OLD1D.tmp
2011-03-16 20:37:11 188480 -c--a-w- c:\windows\system32\dllcache\OLD20.tmp
2011-03-16 20:36:03 16439 -c--a-w- c:\windows\system32\dllcache\OLD1A.tmp
2011-03-16 20:36:02 20540 -c--a-w- c:\windows\system32\dllcache\OLD17.tmp
2011-03-16 20:36:00 43520 -c--a-w- c:\windows\system32\dllcache\OLD11.tmp
2011-03-16 20:36:00 290816 -c--a-w- c:\windows\system32\dllcache\OLD14.tmp
2011-03-16 20:35:59 20540 -c--a-w- c:\windows\system32\dllcache\OLDB.tmp
2011-03-16 20:35:59 16439 -c--a-w- c:\windows\system32\dllcache\OLDE.tmp
2011-03-16 13:52:44 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-03-15 17:37:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-15 15:34:16 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{87d20c5a-df7d-4beb-8156-bc35a300890a}\mpengine.dll
2011-03-14 22:36:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-14 22:36:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-14 22:36:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-14 21:45:59 98816 ----a-w- c:\windows\sed.exe
2011-03-14 21:45:59 89088 ----a-w- c:\windows\MBR.exe
2011-03-14 21:45:59 256512 ----a-w- c:\windows\PEV.exe
2011-03-14 21:45:59 161792 ----a-w- c:\windows\SWREG.exe
2011-03-10 21:58:36 -------- d-----w- C:\Rootkit Detect
2011-03-09 16:33:12 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-03-08 21:37:33 -------- d-----w- c:\documents and settings\lawrence dempsey\DoctorWeb
2011-03-08 16:50:13 -------- d-----w- C:\New Folder
2011-03-08 16:49:55 -------- d-----w- c:\documents and settings\lawrence dempsey\dwhelper
2011-03-08 16:48:25 -------- d-----w- c:\program files\ConvertHelper
2011-03-08 15:51:59 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-08 15:51:59 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-03-08 15:51:48 -------- d-----w- C:\VIPRERESCUE
2011-03-05 06:03:12 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-05 06:03:10 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-03-05 06:02:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-03-05 04:27:26 6144 ------w- c:\windows\system32\5.tmp
2011-03-05 04:26:10 6144 ------w- c:\windows\system32\4.tmp
2011-03-05 04:26:06 6144 ------w- c:\windows\system32\3.tmp
2011-03-05 04:25:16 6144 ------w- c:\windows\system32\2.tmp
2011-03-04 14:21:00 -------- d-sha-r- C:\cmdcons
2011-02-27 22:39:24 -------- d-----w- c:\program files\TdssKiller
.
==================== Find3M ====================
.
2011-03-10 14:32:20 86016 ----a-w- c:\windows\system32\msxml4r.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-29 04:17:15 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 16:51:36.82 ===============

EDIT: Posts merged ~BP

Edited by Budapest, 16 March 2011 - 05:08 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:37 AM

Posted 19 March 2011 - 01:29 PM

looks like you have already run both TDSSkiller and combofix.

infected with the TDL4 bootkit and TDL3 rootkit

If this is the case I always post this:

You had a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. They bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. In my opinion you should consider a reformat/reinstall of Windows.
The best source for information on how to do this would be the computer manufacturers website.

How Can I Reduce My Risk to Malware?


#3 ldemps

ldemps
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 19 March 2011 - 01:43 PM

You are correct. I am in the process of upgrading each computer to Windows 7 with a clean install from Windows XP (and re-partitioning the drives).

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:37 AM

Posted 20 March 2011 - 01:40 PM

Ok. Good luck.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users