Help removing rootkit - TDL4@MBR

[user403]

I'm looking to try to clean up my machine and remove the rootkit.

some of the symptoms were Google redirects and a few bsods which got me started, but I haven't had the time to figure this out on my own.

( it apparently is a nasty one too)

I have two machines which are infected, I'm working from a third running ubuntu. I'm only concerned with cleaning one of the two right now.

I have disconnected it from the internet by turning off wi-fi and unplugging the ethernet.

Here are logs from Malwarebytes quick scan, DSS, and gmer.

( TDL4 was identified by gmer)

mbam:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.08.06

Windows 7 x86 NTFS

Internet Explorer 8.0.7600.16385

Steve :: STEVE-PC [administrator]

Protection: Enabled

3/8/2012 18:00:49

mbam-log-2012-03-08 (18-00-49).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 229833

Time elapsed: 53 minute(s), 58 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

DSS.txt :

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24

Run by Steve at 17:48:02 on 2012-03-08

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3003.1470 [GMT -5:00]

.

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\19.5.0.145\ccSvcHst.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\19.5.0.145\ccSvcHst.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\taskeng.exe

C:\Users\Steve\AppData\Local\Facebook\Update\FacebookUpdate.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb

uStart Page = hxxp://www.mirostart.com/?cfg=2-73-0-vNWc

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\19.5.0.145\coIEPlg.dll

BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\19.5.0.145\ips\IPSBHO.DLL

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\19.5.0.145\coIEPlg.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: SoftwareSASGeneration = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: kent.edu

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.10

TCP: Interfaces\{08F46703-A7D7-478D-A637-B3B69C52CEBC} : NameServer = 4.4.4.4

TCP: Interfaces\{08F46703-A7D7-478D-A637-B3B69C52CEBC} : DhcpNameServer = 192.168.0.10

TCP: Interfaces\{5B8C45EB-2BC3-4EE1-8E9B-F584FD1E4B9F} : DhcpNameServer = 10.0.1.1

TCP: Interfaces\{8F5E5641-8B8C-4FB8-AEDF-C315B2B7F694} : DhcpNameServer = 10.0.1.1

TCP: Interfaces\{8F5E5641-8B8C-4FB8-AEDF-C315B2B7F694}\2375942554832353 : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{8F5E5641-8B8C-4FB8-AEDF-C315B2B7F694}\3425E414 : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{8F5E5641-8B8C-4FB8-AEDF-C315B2B7F694}\342716A7976657E6 : DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{8F5E5641-8B8C-4FB8-AEDF-C315B2B7F694}\362716A7976657E6 : DhcpNameServer = 209.18.47.61 209.18.47.62

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: igfxcui - igfxdev.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\steve\appdata\roaming\mozilla\firefox\profiles\34jggw5p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll

FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\program files\common files\wolfram research\browser\8.0.0.1818576\npmathplugin.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\users\steve\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll

FF - plugin: c:\users\steve\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\users\steve\appdata\roaming\facebook\npfbplugin_1_0_0.dll

FF - plugin: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\34jggw5p.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npAclmPlugin.dll

FF - plugin: c:\users\steve\appdata\roaming\mozilla\firefox\profiles\34jggw5p.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

.

R0 bdisk;C.O.M.O.D.O. Disk Raw Access Filter;c:\windows\system32\drivers\bdisk.sys [2010-1-7 69672]

R0 CBUfs;CBUfs;c:\windows\system32\drivers\cbufs.sys [2010-1-7 121696]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1305000.091\SymDS.sys [2012-2-12 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1305000.091\SymEFA.sys [2012-2-12 905336]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.5.0.145\definitions\bashdefs\20120215.001\BHDrvx86.sys [2012-2-15 820344]

R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1305000.091\ccSetx86.sys [2012-2-12 132744]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.5.0.145\definitions\ipsdefs\20120217.003\IDSvix86.sys [2012-2-18 368248]

R1 pfmfs_463;pfmfs_463;c:\windows\system32\drivers\pfmfs_463.sys [2011-12-14 191848]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1305000.091\Ironx86.sys [2012-2-12 149624]

R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\nis\1305000.091\symnets.sys [2012-2-12 318584]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-21 652360]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\19.5.0.145\ccSvcHst.exe [2012-2-12 138248]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-12 106104]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-21 20464]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2011-10-1 13224]

S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-1-31 163328]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-10-23 166912]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347136]

S3 StkMini;iREZ K2r;c:\windows\system32\drivers\StkMini.sys [2010-8-26 850438]

S3 tvnserver;TightVNC Server;"c:\program files\tightvnc\tvnserver.exe" -service --> c:\program files\tightvnc\tvnserver.exe [?]

S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2010-3-25 31824]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]

S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-22 193840]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]

S4 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-22 365952]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]

S4 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\sony ericsson\sony ericsson pc companion\PCCService.exe [2011-10-1 155344]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

S4 StkSSrv;Syntek DC-112X Service;c:\windows\system32\StkSrv2k.exe [2010-8-26 24576]

S4 SynchronizationService.exe;Comodo BackUp Service;c:\program files\comodo\comodo backup\SynchronizationService.exe [2010-1-7 942328]

S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

S4 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]

S4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-11 1343400]

.

=============== Created Last 30 ================

.

2012-03-08 20:55:57 -------- d-----w- C:\_Quarantine

2012-02-21 21:38:03 -------- d-----w- c:\users\steve\appdata\roaming\Malwarebytes

2012-02-21 21:37:55 -------- d-----w- c:\programdata\Malwarebytes

2012-02-21 21:37:54 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-21 21:37:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-02-21 16:35:25 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit

2012-02-21 16:33:21 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)

2012-02-21 16:32:55 -------- d-----w- c:\program files\Application Verifier

2012-02-16 05:14:08 139776 ----a-w- c:\programdata\microsoft\windows\drm\2B04.tmp

2012-02-14 03:04:16 -------- d-----w- c:\users\steve\appdata\roaming\Gmail Notifier Plus

2012-02-13 01:34:44 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2012-02-13 01:34:44 -------- d-----w- c:\program files\Symantec

2012-02-13 01:34:44 -------- d-----w- c:\program files\common files\Symantec Shared

2012-02-13 01:34:02 905336 ----a-r- c:\windows\system32\drivers\nis\1305000.091\SymEFA.sys

2012-02-13 01:34:02 574584 ----a-r- c:\windows\system32\drivers\nis\1305000.091\srtsp.sys

2012-02-13 01:34:02 340088 ----a-r- c:\windows\system32\drivers\nis\1305000.091\SymDS.sys

2012-02-13 01:34:02 32888 ----a-r- c:\windows\system32\drivers\nis\1305000.091\srtspx.sys

2012-02-13 01:34:02 318584 ----a-r- c:\windows\system32\drivers\nis\1305000.091\symnets.sys

2012-02-13 01:34:02 149624 ----a-r- c:\windows\system32\drivers\nis\1305000.091\Ironx86.sys

2012-02-13 01:34:01 132744 ----a-r- c:\windows\system32\drivers\nis\1305000.091\ccSetx86.sys

2012-02-13 01:33:02 4782 ----a-r- c:\windows\system32\drivers\nis\1305000.091\SymVTcer.dat

2012-02-13 01:32:57 -------- d-----w- c:\windows\system32\drivers\nis\1305000.091

2012-02-12 19:11:11 -------- d-----w- c:\users\steve\appdata\local\NPE

2012-02-11 01:28:03 -------- d-----w- C:\NBRT

2012-02-10 05:56:18 -------- d-----w- c:\windows\system32\drivers\nbrtwizard\0401000.00F

2012-02-10 05:56:18 -------- d-----w- c:\windows\system32\drivers\NBRTWizard

2012-02-10 05:56:16 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard

2012-02-09 16:07:49 -------- d-----w- c:\program files\NirSoft

2012-02-08 22:05:25 -------- d-----w- C:\inetpub

.

==================== Find3M ====================

.

2012-01-31 02:18:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 17:48:47.87 ===============

Attach.txt :

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 12/21/2009 20:49:22

System Uptime: 3/8/2012 16:03:41 (1 hours ago)

.

Motherboard: Hewlett-Packard | | 3612

Processor: Pentium® Dual-Core CPU T4200 @ 2.00GHz | CPU | 2000/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 222 GiB total, 24.869 GiB free.

D: is FIXED (NTFS) - 11 GiB total, 1.831 GiB free.

E: is CDROM (UDF)

H: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

"GNU gdb 5.2.1"

µTorrent

7-Zip 4.65

Acrobat.com

Activation Assistant for the 2007 Microsoft Office suites

ActiveCheck component for HP Active Support Library

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.3.1

Adobe Shockwave Player

Age of Empires III

AIM 7

Amazon Kindle For PC

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Application Verifier

ArcSoft Panorama Maker 5

Atheros Driver Installation Program

Auslogics Duplicate File Finder

Bonjour

Byki

Byki Express

Cisco AnyConnect VPN Client

Cisco Network Magic

Cobian Backup 9

COMODO BackUp

Compatibility Pack for the 2007 Office system

CyberLink DVD Suite

Debugging Tools for Windows (x86)

digestIT 2004

DjVuLibre+DjView

Duplicate Cleaner 1.4.7c

e7note

EASEUS Data Recovery Wizard Free Edition 5.0.1

EPSON Artisan 830 Series Printer Uninstall

Epson Event Manager

Epson FAX Utility

EPSON NX100 Series Printer Uninstall

Epson PC-FAX Driver

EPSON Scan

EpsonNet Print

EpsonNet Setup 3.3

ESU for Microsoft Vista

Facebook Plug-In

Facebook Video Calling 1.1.1.1

FileOpen Client

foldit

Geany 0.19

Google Chrome

Google Earth

HDAUDIO Soft Data Fax Modem with SmartCP

Hotfix for Microsoft Visual Basic 2010 Express - ENU (KB2635973)

Hotfix for Microsoft Visual C++ 2010 Express - ENU (KB2542054)

Hotfix for Microsoft Visual C++ 2010 Express - ENU (KB2635973)

Hotfix for Microsoft Visual Web Developer 2010 Express - ENU (KB2548139)

Hotfix for Microsoft Visual Web Developer 2010 Express - ENU (KB2635973)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)

Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)

HP Active Support Library

HP Customer Experience Enhancements

HP Doc Viewer

HP DVD Play 3.7

HP Help and Support

HP Quick Launch Buttons 6.40 H2

HP Total Care Advisor

HP Total Care Setup

HP Update

HP USB Disk Storage Format Tool

HP User Guides 0118

HP Wireless Assistant

HPAsset component for HP Active Support Library

HPNetworkAssistant

InfraRecorder

inSSIDer

inSSIDer 2.0

Intel® Graphics Media Accelerator Driver

iTunes

Java Auto Updater

Java DB 10.5.3.0

Java 6 Update 24

Java 6 Update 7

Java SE Development Kit 6 Update 18

LabelPrint

LightScribe System Software 1.14.17.1

Malwarebytes Anti-Malware version 1.60.1.1000

Mathematica Extras 8.0 (1818576)

MATLAB R2009a

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft .NET Framework 4 Multi-Targeting Pack

Microsoft Application Error Reporting

Microsoft ASP.NET MVC 2

Microsoft ASP.NET MVC 2 - VWD Express 2010 Tools

Microsoft Help Viewer 1.0

Microsoft Help Viewer 1.1

Microsoft Image Composite Editor

Microsoft IntelliPoint 7.1

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Silverlight 3 SDK

Microsoft Silverlight 4 SDK

Microsoft SQL Server 2008

Microsoft SQL Server 2008 Browser

Microsoft SQL Server 2008 Common Files

Microsoft SQL Server 2008 Database Engine Services

Microsoft SQL Server 2008 Database Engine Shared

Microsoft SQL Server 2008 Native Client

Microsoft SQL Server 2008 R2 Management Objects

Microsoft SQL Server 2008 RsFx Driver

Microsoft SQL Server 2008 Setup Support Files

Microsoft SQL Server Compact 3.5 SP2 ENU

Microsoft SQL Server Database Publishing Wizard 1.4

Microsoft SQL Server System CLR Types

Microsoft SQL Server VSS Writer

Microsoft Visual Basic 2010 Express - ENU

Microsoft Visual C++ Compilers 2010 Standard - enu - x86

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219

Microsoft Visual C++ 2010 Express - ENU

Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools

Microsoft Visual Studio 2010 Service Pack 1

Microsoft Visual Studio 2010 Tools for Office Runtime (x86)

Microsoft Visual Web Developer 2010 Express - ENU

Microsoft Windows Performance Toolkit

Microsoft Windows SDK for Windows 7 (7.1)

Microsoft Windows SDK for Windows 7 Common Utilities (30514)

Microsoft Windows SDK for Windows 7 Headers and Libraries (30514)

Microsoft Windows SDK for Windows 7 Samples (30514)

Microsoft Windows SDK for Windows 7 Utilities for Win32 Development (30514)

Microsoft Windows SDK Intellisense and Reference Assemblies (30514)

Microsoft Windows SDK MSHelp (30514)

Microsoft Windows SDK Net Fx Interop Headers And Libraries (30514)

Microsoft Works

MiKTeX 2.8

MinGW 5.1.6

MiniStumbler 0.4.0 (remove only)

Mozilla Firefox 10.0.2 (x86 en-US)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

muvee Reveal

NetWaiting

Network Magic

Network Stumbler 0.4.0 (remove only)

NirSoft ServiWin

Norton Bootable Recovery Tool Wizard

Norton Internet Security

Notepad++

Panasonic DVC USB Driver

Pismo File Mount Audit Package

Power2Go

PowerDirector

Pure Networks Platform

PuTTY version 0.60

Qt Eclipse Integration 1.6.1

Qt SDK 2010.02.1

QuickTime

Realtek 8169 8168 8101E 8102E Ethernet Driver

Realtek USB 2.0 Card Reader

ROOT

Rosetta Stone Version 3

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Service Pack 1 for SQL Server 2008 (KB968369)

SimCity 4 Deluxe

SimCity Societies

Skype Click to Call

Skype 5.5

Sony Ericsson PC Companion 2.02.002

Sony Ericsson Update Engine

Spelling Dictionaries Support For Adobe Reader 9

Sql Server Customer Experience Improvement Program

Sun VirtualBox

Synaptics Pointing Device Driver

TomTom HOME 2.7.3.1894

TomTom HOME Visual Studio Merge Modules

Unified Remote

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition

Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition

Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU

VLC media player 1.0.2

VMD 1.9

WCF RIA Services V1.0 SP1

Web Deployment Tool

Winamp

WinDjView 1.0.3

Windows Media Player Firefox Plugin

Windows SDK IntellisenseNFX

WinEdt

Wolfram Mathematica 8 for Students (M-WIN-G 8.0.0 1819003)

.

==== Event Viewer Messages From Past Week ========

.

3/8/2012 17:39:45, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

3/8/2012 15:44:19, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/8/2012 15:43:45, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 ccSet_NIS discache eeCtrl IDSVix86 spldr SRTSPX SymIRON SymNetS VBoxDrv VBoxUSBMon Wanarpv6

3/8/2012 15:28:00, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.

3/8/2012 14:22:31, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.

3/7/2012 15:44:00, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000008e (0xc0000005, 0x83c8d530, 0x8e12b864, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 030712-131555-01.

3/6/2012 07:27:03, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000008e (0xc0000005, 0x843e0487, 0xba2d1708, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 030612-118747-01.

3/5/2012 21:47:19, Error: Service Control Manager [7000] - The IPsec Policy Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/5/2012 21:47:02, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the IPsec Policy Agent service to connect.

.

==== End Of File ===========================

[MrCharlie]

Welcome to the forum.

( TDL4 was identified by gmer)

Can you post the log.

also.....

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

Click Scan to scan the system (don't run any other options)

Post back the report.

MrC

[user403]

I will run the scan and post the results afterwards.

For the moment here is the log for GMER:

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit quick scan 2012-03-08 16:34:35

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545025B9A300 rev.PB2OCA0G

Running: d42rehxr.exe; Driver: C:\Users\Steve\AppData\Local\Temp\ugloypob.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs CBUFS.sys (COMODO Safe Backup/COMODO Security Solutions Inc.)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

[user403]

Here is the report from the scan.

( also, I think I may have replaced the MBR using TDSSkiller )

RogueKiller V7.3.1 [03/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User: Steve [Admin rights]

Mode: Scan -- Date: 03/14/2012 00:22:37

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{08F46703-A7D7-478D-A637-B3B69C52CEBC} : NameServer (4.4.4.4) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{08F46703-A7D7-478D-A637-B3B69C52CEBC} : NameServer (4.4.4.4) -> FOUND

[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{08F46703-A7D7-478D-A637-B3B69C52CEBC} : NameServer (4.4.4.4) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[13] : NtAlertResumeThread @ 0x83D1DEEF -> HOOKED (Unknown @ 0x87D123C0)

SSDT[14] : NtAlertThread @ 0x83CCBC88 -> HOOKED (Unknown @ 0x87D124A0)

SSDT[19] : NtAllocateVirtualMemory @ 0x83C8D37B -> HOOKED (Unknown @ 0x87D12DB0)

SSDT[22] : NtAlpcConnectPort @ 0x83C94D8D -> HOOKED (Unknown @ 0x86A70D68)

SSDT[43] : NtAssignProcessToJobObject @ 0x83C3879A -> HOOKED (Unknown @ 0x87D18A18)

SSDT[74] : NtCreateMutant @ 0x83CC0184 -> HOOKED (Unknown @ 0x87D18FC0)

SSDT[86] : NtCreateSymbolicLinkObject @ 0x83C50441 -> HOOKED (Unknown @ 0x87D18738)

SSDT[87] : NtCreateThread @ 0x83D1C186 -> HOOKED (Unknown @ 0x87D103F0)

SSDT[88] : NtCreateThreadEx @ 0x83C7A2B1 -> HOOKED (Unknown @ 0x87D18828)

SSDT[96] : NtDebugActiveProcess @ 0x83CF171C -> HOOKED (Unknown @ 0x87D18AF8)

SSDT[111] : NtDuplicateObject @ 0x83CBD631 -> HOOKED (Unknown @ 0x87D12F80)

SSDT[131] : NtFreeVirtualMemory @ 0x83AF495D -> HOOKED (Unknown @ 0x87D12BD0)

SSDT[145] : NtImpersonateAnonymousToken @ 0x83C33FCC -> HOOKED (Unknown @ 0x87D12200)

SSDT[147] : NtImpersonateThread @ 0x83C99BA9 -> HOOKED (Unknown @ 0x87D122E0)

SSDT[155] : NtLoadDriver @ 0x83BE2295 -> HOOKED (Unknown @ 0x875E2DE0)

SSDT[168] : NtMapViewOfSection @ 0x83CC0446 -> HOOKED (Unknown @ 0x87D12AD0)

SSDT[177] : NtOpenEvent @ 0x83CC2AD6 -> HOOKED (Unknown @ 0x87D18EE0)

SSDT[190] : NtOpenProcess @ 0x83CC2AA0 -> HOOKED (Unknown @ 0x87D10298)

SSDT[191] : NtOpenProcessToken @ 0x83C7DE51 -> HOOKED (Unknown @ 0x87D12EA0)

SSDT[194] : NtOpenSection @ 0x83CC0729 -> HOOKED (Unknown @ 0x87D18D20)

SSDT[198] : NtOpenThread @ 0x83CC13F7 -> HOOKED (Unknown @ 0x87D101A8)

SSDT[215] : NtProtectVirtualMemory @ 0x83CC11B0 -> HOOKED (Unknown @ 0x87D18928)

SSDT[304] : NtResumeThread @ 0x83CB353E -> HOOKED (Unknown @ 0x87D12580)

SSDT[316] : NtSetContextThread @ 0x83D1D28B -> HOOKED (Unknown @ 0x87D12820)

SSDT[333] : NtSetInformationProcess @ 0x83C8E975 -> HOOKED (Unknown @ 0x87D12900)

SSDT[350] : NtSetSystemInformation @ 0x83CCC365 -> HOOKED (Unknown @ 0x87D18BD8)

SSDT[366] : NtSuspendProcess @ 0x83D1DE2B -> HOOKED (Unknown @ 0x87D18E00)

SSDT[367] : NtSuspendThread @ 0x83CDABC6 -> HOOKED (Unknown @ 0x87D12660)

SSDT[370] : NtTerminateProcess @ 0x83CA30AD -> HOOKED (Unknown @ 0x87D104F0)

SSDT[371] : NtTerminateThread @ 0x83CB5E53 -> HOOKED (Unknown @ 0x87D12740)

SSDT[385] : NtUnmapViewOfSection @ 0x83CBD24B -> HOOKED (Unknown @ 0x87D129F0)

SSDT[399] : NtWriteVirtualMemory @ 0x83CC8B25 -> HOOKED (Unknown @ 0x87D12CC0)

S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x88A08518)

S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x889F24A8)

S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x88B92C20)

S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x88B6E448)

S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x88B9EA80)

S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x88C486C8)

S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x88C0C2B0)

S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x88C48C88)

S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x87EB8B90)

S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x88B620B0)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545025B9A300 ATA Device +++++

--- User ---

[MBR] 6161d365bf34a14a22c64b609f44f895

[bSP] 7bee9f9671fc45dd1e9e63a44ed16817 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 227288 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465487872 | Size: 11183 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

So it's OK now?? MrC

[user403]

It's not redirecting anymore, so in that regard I believe it is. I would wonder about the ssdt drivers rogekiller found and if they would have been installed by tdss?

[MrCharlie]

They're OK

Go to your control panels add/remove programs and uninstall these: (older versions of Java are vulnerable to malware)

Java Auto Updater
Java DB 10.5.3.0
Java™ 6 Update 24
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 18

Then download and install the latest version:

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

-----------------

Any questions...please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!