Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Warning: possible TDL3 rootkit infection ! / Can't access windows update

  • This topic is locked This topic is locked
4 replies to this topic

#1 bobbiemark


  • Members
  • 2 posts
  • Local time:03:28 PM

Posted 12 April 2011 - 11:19 AM


A family friend has asked me to take a look at his computer because it had been infected with a virus. He said that he received virus warnings and followed onscreen prompts to remove the infection but he was then directed to a site where he could pay for the removal tool. Several people use this computer and i don't have full details of how and when this happened. I've backed up their data to an external drive so i'm ready to try anything :)

I have run AVG and Malwarebytes scans which returned no results. The computer seemed fine but when i tried to run windows update it either did nothing or opened up IE to http://windowsupdate.microsoft.com with an 'Internet Explorer cannot display the webpage' error. Google, bleepingcomputer.com load fine but if i search for windows update and follow any of the supposedly valid links to the update site i get redirected to random spam/junk sites e.g. http://uk.gomeo.co.uk/index.php?a=1&keyword=window+update

I've read the forum guidlines and have included the DDS, attach and gmer logs.

Thanks in advance for any help you can give me.

DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 14:05:56.98 on 12/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1013.518 [GMT 1:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\aspgsedx\iyhsdejo.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\q1xbmm5p.default\
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RalinkRegistryWriter.exe [2011-4-6 69632]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-11-30 1251720]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2011-4-6 619136]
S1 axrivrqk;axrivrqk;\??\c:\windows\system32\drivers\axrivrqk.sys --> c:\windows\system32\drivers\axrivrqk.sys [?]
S1 ezrjwsbm;ezrjwsbm;\??\c:\windows\system32\drivers\ezrjwsbm.sys --> c:\windows\system32\drivers\ezrjwsbm.sys [?]
S1 fwrczcoe;fwrczcoe;\??\c:\windows\system32\drivers\fwrczcoe.sys --> c:\windows\system32\drivers\fwrczcoe.sys [?]
S1 MpKsl181e95ba;MpKsl181e95ba;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e33f1f3b-42cc-4363-acb1-d39d23e071e1}\mpksl181e95ba.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e33f1f3b-42cc-4363-acb1-d39d23e071e1}\MpKsl181e95ba.sys [?]
S1 MpKsled03dab8;MpKsled03dab8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{455316a8-e7cb-406b-8a25-07917511fa73}\mpksled03dab8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{455316a8-e7cb-406b-8a25-07917511fa73}\MpKsled03dab8.sys [?]
S1 MpKslf4862d26;MpKslf4862d26;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{07e1d33b-1d3c-444a-9f96-dfa44467efa6}\mpkslf4862d26.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{07e1d33b-1d3c-444a-9f96-dfa44467efa6}\MpKslf4862d26.sys [?]
S1 nbgsxfoc;nbgsxfoc;\??\c:\windows\system32\drivers\nbgsxfoc.sys --> c:\windows\system32\drivers\nbgsxfoc.sys [?]
S1 pbmrydrz;pbmrydrz;\??\c:\windows\system32\drivers\pbmrydrz.sys --> c:\windows\system32\drivers\pbmrydrz.sys [?]
S1 tcsvxefg;tcsvxefg;\??\c:\windows\system32\drivers\tcsvxefg.sys --> c:\windows\system32\drivers\tcsvxefg.sys [?]
S2 gupdate1c987e182cc8d8e;Google Update Service (gupdate1c987e182cc8d8e);c:\program files\google\update\GoogleUpdate.exe [2009-2-5 133104]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-2-28 14336]
=============== Created Last 30 ================
2011-04-12 11:44:17 -------- d-----w- c:\windows\Hewlett-Packard
2011-04-06 19:47:39 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-04-06 19:47:38 -------- d-----w- c:\program files\Ralink
2011-04-06 19:47:27 619136 ----a-w- c:\windows\system32\drivers\rt2870.sys
2011-04-06 19:47:27 217088 ----a-w- c:\windows\system32\RaCoInst.dll
2011-04-06 19:47:26 4096 ----a-w- c:\windows\system32\drivers\rt2870.bin
2011-04-06 19:47:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Ralink Driver
2011-03-27 15:16:49 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Mozilla
==================== Find3M ====================
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3200820AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D0D735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d13990]; MOV EAX, [0x86d13a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D4AAB8]
3 CLASSPNP[0xF75EEFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000062[0x86D94D28]
5 ACPI[0xF7485620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86D8AD98]
\Driver\atapi[0x86D578C0] -> IRP_MJ_CREATE -> 0x86D0D735
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3200820AS_____________________________3.AAD___#5&38489fb6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86D0D57B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 14:08:12.31 ===============

Attached File  Attach.txt   13.18KB   2 downloads
Attached File  ark.log   4.3KB   0 downloads

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:28 PM

Posted 12 April 2011 - 03:05 PM

Good evening. :)

According to one of the logs the operating system installation is over four years old. As I tend to reinstall mine every six months to keep it moving speedily, I suspect that the machine you have is suffering from speed issues to a degree.

If this was my machine i'd wipe it, deleting all partitions, and reinstall Windows just to get it back to that spring fresh state that new PCs have and it has the added advantage that it tends to clean all manner of nasties from the hard drive.

Unless your machine is really infected though, it's not a necessity, although I stress that I would wipe it if it was my machine, so if you'd rather clean it let me know.

So long, and thanks for all the fish.



#3 bobbiemark

  • Topic Starter

  • Members
  • 2 posts
  • Local time:03:28 PM

Posted 13 April 2011 - 03:00 PM


Thanks for the reply. I think your right to be honest, the computer is crawling along at the minute. The only problem is that they have office installed but don't have any original discs/keys/packaging so they won't get those programs back when I reformat. Might try Microsoft to see if can get another auth key but if not open office will have to suffice.


#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:28 PM

Posted 13 April 2011 - 04:26 PM

How to obtain a new product key for a Microsoft Office suite may be of help.

So long, and thanks for all the fish.



#5 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:28 PM

Posted 16 April 2011 - 02:59 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users