Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Virus on Windows XP


  • This topic is locked This topic is locked
18 replies to this topic

#1 highflys

highflys

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 23 April 2011 - 11:19 PM

My Windows XP computer has been infected with the TDSS Virus. The symptoms I've seen include a message stating "Generic Host Process for Win32 has encountered a problem and needs to close", a black bar that covers up my "File Edit View Favorites Tools Help" toolbar on my Internet Explorer browser, a slower internet loading speed, and my taskbar that changes colors to classic color(pale grey).

The antimalware programs I have installed include Malwarebytes and Microsoft Security Essentials. Malwarebytes recently detected many trojans and malware and was able to remove them, as far as I know. MSE has detected a virus that it calls "Trojan:DOS/Alureon.A", but is unable to remove it. I have also tried TDSSKiller from Kaspersky, but that has failed as well(initialization stops at 80%). This is my last hope and I would appreciate the help. Here are my DDS Log, Attach.txt, and arc.txt files:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 19:18:44.12 on Sat 04/23/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.545 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265561365187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265568236734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.26.2.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]
R1 MpKslb665cfaf;MpKslb665cfaf;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3f05e9a3-a01e-4e37-b0d1-b95f640c087c}\MpKslb665cfaf.sys [2011-4-23 28752]
S1 MpKsl46604889;MpKsl46604889;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{037062a2-a3c8-4675-8f64-545b8e67d4e6}\mpksl46604889.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{037062a2-a3c8-4675-8f64-545b8e67d4e6}\MpKsl46604889.sys [?]
S1 MpKslaa63e57d;MpKslaa63e57d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3f05e9a3-a01e-4e37-b0d1-b95f640c087c}\MpKslaa63e57d.sys [2011-4-22 28752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-31 136176]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2010-2-7 20160]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-24 02:14:39 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{3f05e9a3-a01e-4e37-b0d1-b95f640c087c}\MpKslb665cfaf.sys
2011-04-22 20:18:16 -------- d-sha-r- C:\cmdcons
2011-04-22 20:12:16 89088 ----a-w- c:\windows\MBR.exe
2011-04-22 20:12:15 98816 ----a-w- c:\windows\sed.exe
2011-04-22 20:12:15 256512 ----a-w- c:\windows\PEV.exe
2011-04-22 20:12:15 161792 ----a-w- c:\windows\SWREG.exe
2011-04-22 20:04:46 -------- d-----w- c:\docume~1\admini~1\applic~1\TeamViewer
2011-04-22 20:04:02 -------- d-----w- c:\program files\TeamViewer
2011-04-22 19:01:26 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{3f05e9a3-a01e-4e37-b0d1-b95f640c087c}\MpKslaa63e57d.sys
2011-04-22 17:31:11 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{3f05e9a3-a01e-4e37-b0d1-b95f640c087c}\mpengine.dll
2011-04-22 01:03:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 01:02:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-22 01:02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 00:56:12 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-22 00:55:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applications
2011-04-21 22:46:38 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-21 22:46:38 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-19 06:00:42 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-04-19 06:00:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
.
==================== Find3M ====================
.
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-19 00:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JB-75GVC0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x863644F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8636a7d0]; MOV EAX, [0x8636a84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86349AB8]
3 CLASSPNP[0xF74D6FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x863CD830]
\Driver\atapi[0x863DAB60] -> IRP_MJ_CREATE -> 0x863644F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8636433B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:20:37.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 24 April 2011 - 02:39 PM

:welcome: to BC!

Definitely a Rootkit. This might be tricky.
Do you have a computer with a CD-burner fitted, as we might need to create a CD?


Step 1.
ComboFix:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 2.
RootKit Unhooker:

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Step 3.
Things I would like to see in your reply:

  • The answer to the question in the beginning of this post.
  • The content of C:\ComboFix.txt from step 1.
  • The content of the report from RKU in step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 highflys

highflys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 24 April 2011 - 10:01 PM

Thank you for responding so quickly. I do believe I have a CD-burner on my computer. I have attached the Combofix log.txt and the report.txt from the RKU.

Attached Files



#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 25 April 2011 - 05:44 AM

Please don't attach logs if your not specifically asked to do so, just copy and paste them in.


Running powerful tools like ComboFix without supervision isn't advised as it can cripple your computers basic functions.

As you've already run Combofix once, please post the content of C:\qoobox\ComboFix2.txt in your reply.

How come you have Teamviewer installed?
Whats it used for
?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 highflys

highflys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 25 April 2011 - 09:30 AM

Teamviewer was installed and used by a Microsoft support agent. I am not sure what its for, but he claimed he needed to use it. Here is C:\qoobox\ComboFix2.txt

ComboFix 11-04-22.01 - Administrator 04/22/2011 13:21:21.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.424 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Xpp\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\E33EA99EE50E1C552FA41802EC19450D
c:\documents and settings\Administrator\Application Data\E33EA99EE50E1C552FA41802EC19450D\enemies-names.txt
c:\documents and settings\Administrator\Application Data\Sun\lfmt.txt
c:\documents and settings\Administrator\Application Data\Sun\mxd1.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-22 20:08 . 2011-04-22 20:11 -------- d-----w- C:\32788R22FWJFW
2011-04-22 20:04 . 2011-04-22 20:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer
2011-04-22 20:04 . 2011-04-22 20:04 -------- d-----w- c:\program files\TeamViewer
2011-04-22 19:55 . 2011-04-22 19:55 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3F05E9A3-A01E-4E37-B0D1-B95F640C087C}\MpKsl13d906be.sys
2011-04-22 19:01 . 2011-04-22 19:01 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3F05E9A3-A01E-4E37-B0D1-B95F640C087C}\MpKslaa63e57d.sys
2011-04-22 17:31 . 2011-04-18 16:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3F05E9A3-A01E-4E37-B0D1-B95F640C087C}\mpengine.dll
2011-04-22 01:03 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 01:02 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-22 01:02 . 2011-04-22 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 00:56 . 2011-04-22 00:56 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-22 00:55 . 2011-04-22 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2011-04-21 22:46 . 2011-04-21 22:46 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-19 08:01 . 2011-04-19 08:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-19 06:00 . 2011-04-19 06:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-19 06:00 . 2011-04-19 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-22 11:41 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-19 00:36 . 2010-12-29 03:08 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-19 00:36 . 2010-12-29 03:08 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11 . 2010-02-07 18:25 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2010-02-07 16:23 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-02-07 16:23 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-01 39408]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-26 95632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-26 54672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\EA Games\\Battlefield Play4Free\\BFP4f.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
.
R1 MpKsl13d906be;MpKsl13d906be;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3F05E9A3-A01E-4E37-B0D1-B95F640C087C}\MpKsl13d906be.sys [4/22/2011 12:55 PM 28752]
S1 MpKsl46604889;MpKsl46604889;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{037062A2-A3C8-4675-8F64-545B8E67D4E6}\MpKsl46604889.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{037062A2-A3C8-4675-8F64-545B8E67D4E6}\MpKsl46604889.sys [?]
S1 MpKslaa63e57d;MpKslaa63e57d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3F05E9A3-A01E-4E37-B0D1-B95F640C087C}\MpKslaa63e57d.sys [4/22/2011 12:01 PM 28752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/31/2010 9:51 PM 136176]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [4/22/2011 1:04 PM 2280312]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2/7/2010 1:01 AM 20160]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL13D906BE
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 19:50]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 04:51]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 04:51]
.
2011-04-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
2011-04-22 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
2011-04-22 c:\windows\Tasks\User_Feed_Synchronization-{5AA11E49-BEA3-480F-980F-0F4A85FF826C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.26.2.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-22 13:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JB-75GVC0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8633D33B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-583907252-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,43,64,31,c8,19,e8,45,af,c4,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,19,95,34,8c,94,dc,48,a4,e1,06,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,19,95,34,8c,94,dc,48,a4,e1,06,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(712)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-22 13:36:29
ComboFix-quarantined-files.txt 2011-04-22 20:36
.
Pre-Run: 74,109,112,320 bytes free
Post-Run: 75,272,122,368 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - D9B9CF999933333FBF1C95843A0BCBAC

#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 25 April 2011 - 10:24 AM

We're going to try TDSSKiller once more and use another tool.

We might need to create a bootable CD with tools on it to fix this.
Do you have a computer with a working CD-burner fitted?

Can the infected computer be booted from an USB-stick as well as a CD?


Step 1.
TDSSKiller:


Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
MBRCheck:


Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step 3.
Things I would like to see in your reply:

  • The answers to the questions in the beginning of this post.
  • The content of the log from TDSSKiller in step 1.
  • The content of the report from MBRCheck in step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 highflys

highflys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 25 April 2011 - 04:21 PM

My computer does have a cd burner. I am not sure what you mean by "booted from an USB-stick". I tried to run TDSSKiller again, but its initialization stopped at 80% and a message was displayed saying "TDSS rootkit removing tool has encountered a problem and needs to close. We are sorry for the inconvenience". Here are the results of the MBRCheck:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 115):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0x86314000 \WINDOWS\system32\KDCOM.DLL
0xF78AA000 \WINDOWS\system32\BOOTVID.dll
0xF7447000 ACPI.sys
0xF7996000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7436000 pci.sys
0xF7496000 isapnp.sys
0xF7A5E000 pciide.sys
0xF7716000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7998000 intelide.sys
0xF74A6000 MountMgr.sys
0xF7417000 ftdisk.sys
0xF799A000 dmload.sys
0xF73F1000 dmio.sys
0xF771E000 PartMgr.sys
0xF74B6000 VolSnap.sys
0xF73D9000 atapi.sys
0xF7726000 cercsr6.sys
0xF73C1000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF74C6000 disk.sys
0xF74D6000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73A1000 fltmgr.sys
0xF738F000 sr.sys
0xF7378000 KSecDD.sys
0xF72EB000 Ntfs.sys
0xF72BE000 NDIS.sys
0xF72A4000 Mup.sys
0xF7666000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6DB3000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6D9F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7776000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6D7B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF777E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6D55000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7676000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7786000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF778E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7686000 \SystemRoot\system32\DRIVERS\serial.sys
0xF795E000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF6D41000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7696000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76A6000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76B6000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6D1E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7796000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF6CDE000 \SystemRoot\system32\drivers\smwdm.sys
0xF6CBA000 \SystemRoot\system32\drivers\portcls.sys
0xF76C6000 \SystemRoot\system32\drivers\drmk.sys
0xF6C07000 \SystemRoot\system32\drivers\senfilt.sys
0xF7ACC000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF79C4000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF779E000 \SystemRoot\System32\Drivers\Modem.SYS
0xF76D6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF796A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6BF0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76E6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76F6000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77A6000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6BDF000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7706000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xEE512000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xEE50A000 \SystemRoot\system32\DRIVERS\raspti.sys
0xECFF4000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xEDD29000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79FC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xECF96000 \SystemRoot\system32\DRIVERS\update.sys
0xEE7C7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xEDCE9000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEDCC9000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A10000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB27D9000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF7A3E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B54000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A40000 \SystemRoot\System32\Drivers\Beep.SYS
0xED870000 \SystemRoot\System32\drivers\vga.sys
0xF7A42000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A44000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF5B1A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF5B12000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6A53000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB27A6000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB274D000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB2725000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB2703000 \SystemRoot\System32\drivers\afd.sys
0xED73E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB26D8000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB2668000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xED72E000 \SystemRoot\System32\Drivers\Fips.SYS
0xB2642000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xED6FE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xED6EE000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB262A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A4A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF323F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF5B02000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B9C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF040000 \SystemRoot\System32\ialmdev5.DLL
0xBF070000 \SystemRoot\System32\ialmdd5.DLL
0xBF14C000 \SystemRoot\System32\ATMFD.DLL
0xF324B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB222D000 \SystemRoot\system32\drivers\wdmaud.sys
0xF1D33000 \SystemRoot\system32\drivers\sysaudio.sys
0xB2042000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A50000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB1E82000 \SystemRoot\system32\DRIVERS\srv.sys
0xB1A59000 \SystemRoot\System32\Drivers\HTTP.sys
0xF5B0A000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{059DC9E5-B32E-48E3-9423-6018D62955E4}\MpKsl3a9f6af8.sys
0xB1733000 \SystemRoot\system32\drivers\kmixer.sys
0xB1721000 \SystemRoot\system32\drivers\klmd.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
388 C:\WINDOWS\system32\smss.exe
616 csrss.exe
648 C:\WINDOWS\system32\winlogon.exe
696 C:\WINDOWS\system32\services.exe
708 C:\WINDOWS\system32\lsass.exe
872 C:\WINDOWS\system32\svchost.exe
952 svchost.exe
1052 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1112 C:\WINDOWS\system32\svchost.exe
1268 svchost.exe
1548 svchost.exe
1568 C:\WINDOWS\explorer.exe
1736 C:\WINDOWS\system32\spoolsv.exe
1844 C:\WINDOWS\system32\hkcmd.exe
1852 C:\WINDOWS\system32\igfxpers.exe
1872 C:\Program Files\Analog Devices\Core\smax4pnp.exe
1880 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1920 C:\Program Files\Microsoft Security Client\msseces.exe
1928 C:\Program Files\iTunes\iTunesHelper.exe
1936 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
1944 C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
1952 C:\WINDOWS\system32\ctfmon.exe
1964 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
1028 svchost.exe
1144 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1320 C:\Program Files\Bonjour\mDNSResponder.exe
2208 C:\Program Files\Java\jre6\bin\jqs.exe
2296 C:\WINDOWS\system32\PnkBstrA.exe
2684 C:\WINDOWS\system32\PnkBstrB.exe
2776 C:\WINDOWS\system32\svchost.exe
3584 C:\Program Files\iPod\bin\iPodService.exe
316 alg.exe
2816 C:\Program Files\Internet Explorer\iexplore.exe
3576 C:\Program Files\Internet Explorer\iexplore.exe
780 C:\Program Files\Internet Explorer\iexplore.exe
1672 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600JB-75GVC0, Rev: 08.02D08

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 25 April 2011 - 04:28 PM

I am not sure what you mean by "booted from an USB-stick".

Normally a computer boots from your harddrive.
It can be set to boot from other devices as well like CD or USB-stick.

When you boot your computer try tapping the key F12 Do you get an option to choose what your want to boot from?

Do you have an USB-memorystick that we can use?
Do you have empty CD's we can use?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 highflys

highflys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 25 April 2011 - 05:24 PM

I see now. I do do get an option to choose what I want to boot from, of which were 8 choices. 2 of them were by CD and USB. I don't currently have a blank cd, but I do own a USB flashdrive.

#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 25 April 2011 - 05:30 PM

Let's use the USB flashdrive then.
btw, welcome to the linux world.

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.


-------




Please go to: VirusTotal

  • On the page you'll find a Browse - button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, click on the browse - button and find the file on your USB-flashdrive.

    mbr.zip

  • Next, click the Open button.
  • Then click the Send File - button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.




.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#11 highflys

highflys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 25 April 2011 - 06:14 PM

Attached is the MBR file and here is the link to the results page: http://www.virustotal.com/file-scan/report.html?id=3074c68739bc718c6fdac787650133dbb458a2b25e637fb77c5cfce84ee6d054-1303773122

Attached Files

  • Attached File  mbr.zip   1.13KB   3 downloads


#12 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 26 April 2011 - 06:25 AM

Let's try ComboFix once more.

Delete you current copy of ComboFix.exe from your desktop.

Download a fresh copy from one of these links and save it to your desktop.

Link 2
Link 3

Disable your security softwares as before.
Double-click on ComboFix.exe on your desktop.
Post the content of C:\ComboFix.txt in your reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#13 highflys

highflys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 26 April 2011 - 09:38 AM

Here is the new Combofix.txt:

ComboFix 11-04-25.01 - Administrator 04/26/2011 7:21.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.656 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))
.
.
2011-04-26 14:15 . 2011-04-26 14:16 -------- d-----w- C:\32788R22FWJFW
2011-04-26 14:09 . 2011-04-26 14:09 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{059DC9E5-B32E-48E3-9423-6018D62955E4}\MpKslfbf86b99.sys
2011-04-25 14:36 . 2011-04-25 14:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-25 02:52 . 2011-04-18 16:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{059DC9E5-B32E-48E3-9423-6018D62955E4}\mpengine.dll
2011-04-22 20:04 . 2011-04-22 20:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer
2011-04-22 20:04 . 2011-04-22 20:04 -------- d-----w- c:\program files\TeamViewer
2011-04-22 01:03 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 01:02 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-22 01:02 . 2011-04-22 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 00:56 . 2011-04-22 00:56 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-22 00:55 . 2011-04-22 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2011-04-21 22:46 . 2011-04-21 22:46 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-19 08:01 . 2011-04-19 08:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-19 06:00 . 2011-04-19 06:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-19 06:00 . 2011-04-19 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-02-22 11:41 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-19 00:36 . 2010-12-29 03:08 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-19 00:36 . 2010-12-29 03:08 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11 . 2010-02-07 18:25 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2010-02-07 16:23 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-02-07 16:23 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-22_20.32.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-26 14:10 . 2011-04-26 14:10 16384 c:\windows\Temp\Perflib_Perfdata_864.dat
- 2004-08-04 10:00 . 2008-04-14 13:41 45568 c:\windows\system32\dnsrslvr.dll
+ 2004-08-04 10:00 . 2009-04-20 17:17 45568 c:\windows\system32\dnsrslvr.dll
+ 2009-04-20 17:17 . 2009-04-20 17:17 45568 c:\windows\system32\dllcache\dnsrslvr.dll
+ 2010-02-10 19:31 . 2011-04-22 21:05 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2010-02-10 19:31 . 2010-12-16 01:02 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2010-02-10 19:31 . 2010-12-16 01:02 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2010-02-10 19:31 . 2011-04-22 21:05 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2010-02-10 19:31 . 2010-12-16 01:02 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2010-02-10 19:31 . 2011-04-22 21:05 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2010-02-10 19:31 . 2011-04-22 21:05 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2010-02-10 19:31 . 2010-12-16 01:02 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2010-02-10 19:31 . 2010-12-16 01:02 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2010-02-10 19:31 . 2011-04-22 21:05 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2010-02-10 19:31 . 2010-12-16 01:02 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2010-02-10 19:31 . 2011-04-22 21:05 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2010-02-10 19:31 . 2010-12-16 01:02 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2010-02-10 19:31 . 2011-04-22 21:05 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2004-08-04 10:00 . 2008-06-20 16:02 245248 c:\windows\system32\mswsock.dll
- 2004-08-04 10:00 . 2008-06-20 17:46 245248 c:\windows\system32\mswsock.dll
+ 2004-08-04 10:00 . 2011-03-04 06:37 726528 c:\windows\system32\jscript.dll
- 2004-08-04 10:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
- 2004-08-04 10:00 . 2008-08-14 10:04 138496 c:\windows\system32\drivers\afd.sys
+ 2004-08-04 10:00 . 2008-10-16 14:43 138496 c:\windows\system32\drivers\afd.sys
+ 2004-08-04 10:00 . 2011-03-03 06:55 149504 c:\windows\system32\dnsapi.dll
+ 2009-03-08 12:33 . 2011-03-04 06:37 420864 c:\windows\system32\dllcache\vbscript.dll
+ 2008-06-20 17:46 . 2008-06-20 16:02 245248 c:\windows\system32\dllcache\mswsock.dll
- 2008-06-20 17:46 . 2008-06-20 17:46 245248 c:\windows\system32\dllcache\mswsock.dll
- 2009-03-08 12:33 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-03-08 12:33 . 2011-03-04 06:37 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-06-20 17:46 . 2011-03-03 06:55 149504 c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 11:40 . 2008-10-16 14:43 138496 c:\windows\system32\dllcache\afd.sys
- 2008-06-20 11:40 . 2008-08-14 10:04 138496 c:\windows\system32\dllcache\afd.sys
+ 2011-04-22 21:04 . 2010-03-10 06:15 420352 c:\windows\ie8updates\KB2510531-IE8\vbscript.dll
+ 2011-04-22 21:04 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2510531-IE8\spuninst\updspapi.dll
+ 2011-04-22 21:04 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2510531-IE8\spuninst\spuninst.exe
+ 2011-04-22 21:04 . 2009-12-09 05:53 726528 c:\windows\ie8updates\KB2510531-IE8\jscript.dll
+ 2011-02-25 21:25 . 2011-02-25 21:25 7968256 c:\windows\Installer\e67db.msp
+ 2010-02-07 17:31 . 2011-04-22 21:06 39828936 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-01 39408]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-26 95632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-26 54672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\EA Games\\Battlefield Play4Free\\BFP4f.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 MpKslfbf86b99;MpKslfbf86b99;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{059DC9E5-B32E-48E3-9423-6018D62955E4}\MpKslfbf86b99.sys [4/26/2011 7:09 AM 28752]
S1 MpKsl46604889;MpKsl46604889;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{037062A2-A3C8-4675-8F64-545B8E67D4E6}\MpKsl46604889.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{037062A2-A3C8-4675-8F64-545B8E67D4E6}\MpKsl46604889.sys [?]
S1 MpKslaa63e57d;MpKslaa63e57d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3F05E9A3-A01E-4E37-B0D1-B95F640C087C}\MpKslaa63e57d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3F05E9A3-A01E-4E37-B0D1-B95F640C087C}\MpKslaa63e57d.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/31/2010 9:51 PM 136176]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2/7/2010 1:01 AM 20160]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLFBF86B99
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 19:50]
.
2011-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 04:51]
.
2011-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 04:51]
.
2011-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
2011-04-26 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
2011-04-26 c:\windows\Tasks\User_Feed_Synchronization-{5AA11E49-BEA3-480F-980F-0F4A85FF826C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.26.2.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-26 07:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JB-75GVC0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8632D33B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-583907252-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,43,64,31,c8,19,e8,45,af,c4,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,19,95,34,8c,94,dc,48,a4,e1,06,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,19,95,34,8c,94,dc,48,a4,e1,06,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(712)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3728)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-26 07:35:19
ComboFix-quarantined-files.txt 2011-04-26 14:35
ComboFix2.txt 2011-04-25 02:50
ComboFix3.txt 2011-04-22 20:36
.
Pre-Run: 75,080,814,592 bytes free
Post-Run: 75,222,691,840 bytes free
.
- - End Of File - - E28E527C6387ECAAC169B8DB7FC5D187

#14 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 26 April 2011 - 09:44 AM

No it didn't

Reboot your computer.

When the blackscreen with the option to choose operatingsystem appears (se below), use the arrow-keys and choose Microsoft Windows Recovery Console then hit the Enter.
(You'll only have a couple of seconds to do this, else it will proceed with a normal startup.)

Posted Image

You'll be presented with a screen similar to this one.

Posted Image

Press 1 to select your Windows installation. If you are asked for the Administrator password, if it is set type it in else leave it blank and press Enter.

You'll be presented with the command-prompt C:\WINDOWS >

Type in FIXMBR and hit Enter
There will be a question: Are you sure you want to write a new MBR?
Type y and hit Enter
Posted Image


Type EXIT and hit Enter to reboot. Let it reboot normally.

Was it successful?

-----

Rerun DDS and post its logs

Edited by heir, 26 April 2011 - 10:06 AM.
added question

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#15 highflys

highflys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 26 April 2011 - 10:35 AM

I followed those steps and think they worked. I started up TDSSKiller directly after I completed these steps and it successfully initialized. I did not use it however, I simply wanted to see if it worked. Here is the new DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 8:25:34.71 on Tue 04/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.519 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\SoftwareDistribution\Download\c0374054817394c06e1150f2b5fba483\update\update.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265561365187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265568236734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.26.2.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]
R1 MpKslb385688a;MpKslb385688a;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{70f1c903-9158-47d5-831a-3c0f289ccf01}\MpKslb385688a.sys [2011-4-26 28752]
S1 MpKsl46604889;MpKsl46604889;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{037062a2-a3c8-4675-8f64-545b8e67d4e6}\mpksl46604889.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{037062a2-a3c8-4675-8f64-545b8e67d4e6}\MpKsl46604889.sys [?]
S1 MpKslaa63e57d;MpKslaa63e57d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3f05e9a3-a01e-4e37-b0d1-b95f640c087c}\mpkslaa63e57d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3f05e9a3-a01e-4e37-b0d1-b95f640c087c}\MpKslaa63e57d.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-31 136176]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2010-2-7 20160]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-26 15:24:51 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{70f1c903-9158-47d5-831a-3c0f289ccf01}\MpKslb385688a.sys
2011-04-26 14:39:01 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{70f1c903-9158-47d5-831a-3c0f289ccf01}\mpengine.dll
2011-04-22 20:18:16 -------- d-sha-r- C:\cmdcons
2011-04-22 20:12:16 89088 ----a-w- c:\windows\MBR.exe
2011-04-22 20:12:15 98816 ----a-w- c:\windows\sed.exe
2011-04-22 20:12:15 256512 ----a-w- c:\windows\PEV.exe
2011-04-22 20:12:15 161792 ----a-w- c:\windows\SWREG.exe
2011-04-22 20:04:46 -------- d-----w- c:\docume~1\admini~1\applic~1\TeamViewer
2011-04-22 20:04:02 -------- d-----w- c:\program files\TeamViewer
2011-04-22 01:03:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 01:02:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-22 01:02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 00:56:12 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-04-22 00:55:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applications
2011-04-21 22:46:38 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-21 22:46:38 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-19 06:00:42 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-04-19 06:00:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
.
==================== Find3M ====================
.
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-19 00:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 8:29:51.65 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users