Unsolved
This post is more than 5 years old
29 Posts
0
11172
Rootkit.Win32.TDSS.tdl4 virus
Hi,
My wife has this virus on her Dell Vostro 410 PC. From what I can gather off the web it hides in the MBR and reinfects the machine on every boot even after rootkit cleaners have erased it from the OS.
I have tried Kaspersy's TDSSKiller, and although it appears to have killed the OS rootkit with a tweak (renamed the file before running it), on reboot it's still in the MBR. And we are still getting redirects.
None of the tools I've been trying will function. Gner, unhackme, prevxcsi etc. wont run - they either freeze or shut down. I haven't tried Combofix yet but I don't expect I'll fare any better with that and I wouldn't know how to use it anyway without help. Kaspersy's online scanner freezes on the page as do all other Kaspersy pages (I managed to download TDSSkiller by downloading it to my machine and transferring it using a pendrive).
One fix appears to be replacing the MBR with a copy through the recovery console using the fixmbr tool. However, Dell PCs
use a
proprietary
MBR and replacing it in this way
will bugger up the partitions, see here:
http://en.community.dell.com/support-forums/software-os/f/3524/t/19325495.aspx
and here:
I need help with this and if possible a copy of a Dell MBR. Apparently it doesn't matter which Dell model it comes from. The site above explains it in more detail.
Hitting F12 at boot gives me the following information:
HARD DISK
- SATA-0 Hitachihi HDP725050GLA36
- BOOTABLE ADD-IN CARDS
CDROM
UTILITY PARTITION
I tried Dell telephone support (we still have support until 2012, but only hardware, it seems, so no help there except a remote reinstall for a fee. I'm hoping to avoid that).
I've been at this for a days now and am exhausted looking for a fix.
Tony
kevinf80_1d0ac6
1.1K Posts
0
October 1st, 2010 11:00
Hello Tony and welcome
I'm kevinf80 and I will be helping with any malware issues you may have with your system.
I note you have been using a pen drive to transfer to the infected PC, that`s what we`ll do with Combofix. Please proceed as follows on a known clean PC.
Download Combofix from either of the following links and save to your Pen drive
Link 1
Link 2
Before you save it change the name to Gotcha.exe as below, I know it says desktop on the image, but you`ll save to you pen drive.
Transfer to the infected PC Desktop, it must be run from the Desktop nowhere else <--- Very important
Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Double click Gotcha.exe icon to start, if CF asks to install the Recovery console, please allow it. Just follow the prompts..
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
*EXTRA NOTES*
Kevin
Anthony Boyle
29 Posts
0
October 1st, 2010 12:00
Kevin,
Thanks.
Just to update you - I managed to get Kaspersky's online virus check to run. I had made the mistake of using Opera, this seems to be the reason is wasn't running. It means I can get online, but it's a bit flaky - plus I ran the Kaspersky online tool up to 19% before I stopped it, by which time it had found a lot of trojans. It's probably a good idea to keep the machine off-line from now on.
I'll run the Combofix tool and get back to you.
I'm relieved there's someone out there trying to help.
Again, thanks.
Tony
kevinf80_1d0ac6
1.1K Posts
0
October 1st, 2010 13:00
OK Tony, any time you`re ready...
Kevin
kevinf80_1d0ac6
1.1K Posts
0
October 1st, 2010 14:00
I`m usually here Tony, just post when you`re ready. Make sure you back up any important data. TDL4 is a nasty infection and always has plenty of friends with it..
Kevin
Anthony Boyle
29 Posts
0
October 1st, 2010 14:00
Hi Kevin,
Great - get back to you soon.
Tony
kevinf80_1d0ac6
1.1K Posts
0
October 1st, 2010 14:00
Hi Tony,
I`m in the UK myself, CF takes approximately 10 minutes to run, this may extend to 20 minutes on heavily infected systems..
Kevin
Anthony Boyle
29 Posts
0
October 1st, 2010 14:00
Hi Kevin,
Sorry, I've had to deal with something else - non-pc related and haven't been able to run it yet. How long does Combofix take to run. I ask as it's late evening here in the UK and if it's hours then we'll need to pick this up again tomorrow.
Thanks again.
Tony
Anthony Boyle
29 Posts
0
October 1st, 2010 15:00
Hi Kevin,
Unfortunatley things don't seem to be going to plan.
Attempt 1:
Downloaded the Combofix file and gave it a random name. Transferred via the pen drive to the destop, ran it, got a slash screen asking me to accept the conditions, I accepted and was greeted with the message, Combofix must have an alphanumerical name - install aborted (there was a " [ " symbol in the name).
Attempt 2:
Downloaded the Combofix file again and gave it the name Gotcha.exe this time as directed. Transferred it via the pen drive to the desktop, ran it, blue dosbox opened with the message "access denied". Install aborted.
Attempt 3:
Renamed the Gotcha.exe file in the pendrive to zfh.exe. Transfered to the desktop. This time something popped up very briefly in a blue dosbox again before returning the "access denied" message again. However, this time after a little delay it started (is the "access denied" message normal behaviour? - if so, it foxed me). It asked me to download and install the recovery console (done) and reboot (done). It's now scanning.
Update:
About 10 minutes ago I heard the windows shutdown sound and went to look (I'm on a different floor to my wife's PC). It's frozen at the shutdown stage - just a blank blue screen (not a BSOD - it's the desktop colour) and the cursor.
Shall I switch off and switch back on?
Tony
kevinf80_1d0ac6
1.1K Posts
0
October 1st, 2010 15:00
If CF is dealing with a Rootkit it may re-boot and sit idle for several minutes then boot again, leave it a while and see how it goes, if no change after 30mins force a re-start and let me know..
TDL4 is very unpredictable lets see how it goes..
Kevin
Anthony Boyle
29 Posts
0
October 1st, 2010 16:00
Hi Kevin,
No luck. Continued to be stuck on blank desktop and cursor for 30+ mins so I've shut down and restarted. Unfortunately it's now stuck at the same spot only on startup rather than shutdown.
This freeze at shutdown and startup has been going on since the infection has started and the only way I've managed to get things going again is to go into safe mode (which has also been subject to flakiness) and run the disk cleanup tool. That takes a few hours to complete. I can run that now and we can pick it up again in the morning but will this affect how Combofix works?
You're right on the button about the friends this virus keeps. They are legion. I can't recall exactly how many viruses Kapersky's online scanner found but it was up around 20 or more and had only completed 19% of it's scan. And this is with McAfee installed. I don't think any of the updates have been working.
Tony
kevinf80_1d0ac6
1.1K Posts
0
October 1st, 2010 16:00
Hi Tony,
Yep this is a real nasty piece of work, it does bring in a considerable amount of malware. Delete the re-named version of CF from the Desktop. Reboot into Safemode with Networking.
To do this, re-boot and continuously tap the F8 key until you see the Advanced Windows menu screen. You will see several options, select Safe mode with networking. Follow the prompts, when you have a stable Desktop download Combofix from any of the following links:
Link 1
Link 2
Don`t forget Combofix must be saved to your desktop. <--Very important
Ensure you have disabled your Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important
Please include the C:\ComboFix.txt in your next reply for further review.
Examples of how to disable realtime protection available at the following link :-
Disable realtime protection
Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.
*EXTRA NOTES*
Be aware, because you are running in Safe mode if CF forces a re-boot you must be there to tap F8 key to get into Safe mode again, bit of a pain but necessary.
Post the log in your reply
Kevin
Kevin
Anthony Boyle
29 Posts
0
October 1st, 2010 16:00
Hi Kevin,
I have to go now - been up since 6am. We'll pick this up again in the morning.
Thanks again for all your help.
Tony
Anthony Boyle
29 Posts
0
October 2nd, 2010 02:00
Hi Kevin,
I booted into safe mode and Combofix started up immediately, ran and produced the report below. I let it run even though it's not a new downloaded copy as you instructed. Should I start over and run a completely new copy or is this one OK?
Tony
ComboFix 10-09-30.05 - Administrator 01/10/2010 22:09:11.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2573 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\zfh.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\Idan
c:\documents and settings\Administrator\Application Data\Idan\mokul.exe
c:\documents and settings\Administrator\Application Data\Ynylet
c:\documents and settings\Administrator\Application Data\Ynylet\xafo.exe
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
C:\Thumbs.db
c:\windows\run.log
c:\windows\system32\sfcfiles.dat
.
((((((((((((((((((((((((( Files Created from 2010-09-02 to 2010-10-02 )))))))))))))))))))))))))))))))
.
2010-10-01 20:42 . 2010-10-01 20:43 -------- d-----w- C:\Gotcha
2010-10-01 20:27 . 2010-10-01 20:33 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-10-01 18:44 . 2010-10-01 18:46 -------- d-----w- C:\32788R22FWJFW.0.tmp
2010-10-01 16:46 . 2010-10-01 16:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\MicroVision Applications
2010-09-29 10:43 . 2010-09-29 10:43 2206006444 ----a-w- C:\Ingela.zip
2010-09-27 21:28 . 2010-09-27 21:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-09-27 21:28 . 2010-09-27 21:28 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-09-27 21:25 . 2010-09-27 21:25 2 --shatr- c:\windows\winstart.bat
2010-09-27 21:24 . 2010-09-27 21:24 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-09-27 21:24 . 2010-09-27 21:24 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-09-24 20:31 . 2010-09-24 20:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-09-20 16:21 . 2010-09-20 16:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-18 10:30 . 2010-09-18 10:30 57940 ---ha-w- c:\windows\system32\mlfcache.dat
2010-09-16 07:47 . 2010-09-16 07:49 -------- d-----w- c:\program files\QuickTime
2010-09-16 07:46 . 2010-09-16 07:46 -------- d-----w- c:\program files\Safari
2010-09-16 07:44 . 2010-09-16 07:44 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-16 07:43 . 2010-09-16 07:44 -------- d-----w- c:\program files\iTunes
2010-09-16 07:43 . 2010-09-16 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-16 07:38 . 2010-09-16 07:38 -------- d-----w- c:\program files\Bonjour
2010-09-16 07:36 . 2010-09-16 07:36 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 12:02 . 2009-08-08 15:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-10-01 11:58 . 2006-05-27 10:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cyiq
2010-09-29 16:19 . 2008-03-28 09:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Afkuc
2010-09-18 10:28 . 2008-08-16 11:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-09-16 07:55 . 2008-09-07 07:50 -------- d-----w- c:\program files\Apple Software Update
2010-09-16 07:43 . 2008-08-16 10:58 -------- d-----w- c:\program files\iPod
2010-09-16 07:43 . 2008-09-07 07:50 -------- d-----w- c:\program files\Common Files\Apple
2010-09-14 17:23 . 2010-04-21 16:56 -------- d-----w- c:\program files\Common Files\TerraTec
2010-09-12 07:24 . 2009-06-22 19:57 -------- d-----w- c:\program files\Opera 10 Beta
2010-09-05 13:32 . 2008-08-28 13:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2010-09-05 13:32 . 2008-08-28 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-09-05 13:14 . 2008-08-06 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-08-24 13:58 . 2008-08-06 20:58 -------- d-----w- c:\program files\McAfee.com
2010-08-24 13:57 . 2010-08-23 17:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 13:57 . 2010-08-23 17:24 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 13:57 . 2010-08-23 17:24 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-24 13:57 . 2010-08-23 17:24 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 13:57 . 2010-08-23 17:24 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 13:57 . 2010-08-23 17:24 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-24 13:57 . 2010-08-23 17:24 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 13:57 . 2008-08-06 20:58 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 13:57 . 2008-08-06 20:58 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-24 13:57 . 2008-08-06 20:58 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-23 21:54 . 2008-08-06 20:57 -------- d-----w- c:\program files\McAfee
2010-08-23 21:54 . 2008-08-06 20:58 -------- d-----w- c:\program files\Common Files\McAfee
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-17 13:17 . 2004-08-11 16:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-05 21:12 . 2008-08-06 20:51 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 21:12 . 2008-08-06 20:51 -------- d-----w- c:\program files\Java
2010-08-04 13:52 . 2010-08-04 13:52 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4f257f6f-n\decora-sse.dll
2010-08-04 13:52 . 2010-08-04 13:52 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f7810d4-n\msvcp71.dll
2010-08-04 13:52 . 2010-08-04 13:52 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f7810d4-n\jmc.dll
2010-08-04 13:52 . 2010-08-04 13:52 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f7810d4-n\msvcr71.dll
2010-08-04 13:52 . 2010-08-04 13:52 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4f257f6f-n\decora-d3d.dll
2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49 . 2004-08-11 16:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-05-30 18:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 04:00 . 2010-05-06 22:03 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-06 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-25 135664]
"Remote Control Editor"="c:\program files\Common Files\TerraTec\Remote\TTTVRC.exe" [2010-06-09 1689088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-09 8523776]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-31 16860672]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"8169Diag"="c:\program files\Realtek\Diagnostics Utility\8169Diag.exe" [2008-02-26 909312]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-20 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-15 524632]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-30 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-21 14:21 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0Partizan
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\tvtvSetup\\tvtv_Wizard.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\CinergyDvr.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\VersionCheck\\VersionCheck.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\ChannelEditor\\CinergyDvrChannelEditor.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\InstTool.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/05/2009 20:37 64160]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [23/08/2010 18:24 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [23/08/2010 18:24 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [23/08/2010 18:24 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [23/08/2010 18:24 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [23/08/2010 18:24 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [23/08/2010 18:24 88544]
S2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [06/08/2008 21:55 8960]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [23/08/2010 18:24 271480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [23/08/2010 18:24 55840]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [06/08/2008 21:55 11264]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [06/08/2008 21:56 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [23/08/2010 18:24 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [23/08/2010 18:24 84264]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [27/09/2010 22:24 35816]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [11/08/2008 14:23 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [11/08/2008 14:23 14336]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [27/09/2010 22:28 24416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [06/08/2008 21:55 16640]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [07/03/2010 17:26 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [07/03/2010 17:26 85696]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/01/2010 20:42 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-09-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:37]
2010-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
2010-10-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-06 17:34]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 19:42]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 19:42]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4154240400-2109932074-3037798612-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-11 19:47]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4154240400-2109932074-3037798612-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-11 19:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://195.196.36.242/activex/AMC.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-{A1EF8499-9AC3-D799-3D5C-89C1B5EEB649} - c:\documents and settings\Administrator\Application Data\Ynylet\xafo.exe
HKCU-Run-{AAFDDB40-E13D-5DD1-732D-41B4478CA122} - c:\documents and settings\Administrator\Application Data\Idan\mokul.exe
SafeBoot-klmdb.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-02 08:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AD27C76]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
\Driver\iaStor -> iaStor.sys @ 0xf7b52002
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba75bbb0
PacketIndicateHandler -> NDIS.sys @ 0xba768a21
SendHandler -> NDIS.sys @ 0xba74687b
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4154240400-2109932074-3037798612-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a6,ca,2f,51,18,8d,dd,49,96,3c,55,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a6,ca,2f,51,18,8d,dd,49,96,3c,55,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
- - - - - - - > 'lsass.exe'(1036)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1816)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2010-10-02 09:02:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-02 08:02
Pre-Run: 294,111,879,168 bytes free
Post-Run: 298,456,702,976 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 21BF8B7DAFD886EBFDC9B23687EAED52
kevinf80_1d0ac6
1.1K Posts
0
October 2nd, 2010 03:00
No need to do CF a re-run at present, As follows please :-
Step 1
Run an online virus scan with Kaspersky from HERE. Use Internet Explorer to get there. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on " Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.
The following animation may help.
Kaspersky Gif
Step 2
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Post the logs from Kaspersky and Security Checks, also system update, improvements? issues?
Kevin
Anthony Boyle
29 Posts
0
October 2nd, 2010 09:00
Hi Kevin,
That did take some time. Here are the logs:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 02, 2010 04:29:38
Records in database: 4274019
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Objects scanned: 114896
Threats found: 6
Infected objects found: 12
Suspicious objects found: 0
Scan duration: 03:21:40
File name / Threat / Threats count
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\0\10923d80-4f3c8d5c Infected: Exploit.Java.CVE-2008-5353.c 2
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\41ede39a-4db7a13b Infected: Exploit.Java.CVE-2008-5353.e 4
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\44\6751d9ec-5a961ce5 Infected: Exploit.Java.CVE-2008-5353.d 1
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Idan\mokul.exe.vir Infected: Trojan-Spy.Win32.Zbot.apxr 1
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Ynylet\xafo.exe.vir Infected: Packed.Win32.Krap.ao 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP620\A0089049.exe Infected: Trojan-Spy.Win32.Zbot.apxr 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP620\A0089050.exe Infected: Packed.Win32.Krap.ao 1
C:\Tony\DVD region free stuff\DVD region killer v2.7.0.2.exe Infected: not-a-virus:AdWare.Win32.CommonName.af 1
Selected area has been scanned.
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee SecurityCenter
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Java(TM) 6 Update 21
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.1.82.76
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
Tony