Jump to content

TDL4 persistent. ComboFix found it 3 times and disinfected it 3 times! Hitman found MBR.exe.


Recommended Posts

ComboFix found and disinfected TDL4. I ran combofix the day after the success and it gave up after reboot. I tried to run it in safe mode after multiple trials in normal mode. It ran. But it still couldn't finish after reboot. So I made sure that I ran ComboFix in safe mode after its reboot. And it found and disinfected TDL4 twice in safe mode.

I copy/paste the 3 logs below. The first log was the first run and in normal mode. The second log was in safe mode before and after its reboot. The third log was started in normal mode but finished in safe mode.

What's more, I downloaded and used Hitman Pro 3.5.9. It found MBR.exe at first run. It reported that it succeeded in deletion. But I found a file named MBR.exe in c:\windows after Hitman said it had deleted it. I manually deleted mbr.exe. But the file keep coming back after reboot to the same location.

I tried tdss, too. But it never finds anything.

First ComboFix log:

"ComboFix 11-06-16.01 - Tim 06/16/2011 17:40:31.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.534 [GMT -5:00]

Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Tim\WINDOWS

C:\LOG17.tmp

C:\LOG47.tmp

C:\LOG4B.tmp

c:\windows\sv.ini

c:\windows\system32\logs

c:\windows\system32\logs\Events.dat

c:\windows\system32\tmp.reg

.

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))

.

.

2011-06-15 18:58 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-04 04:19 . 2011-06-04 04:19 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes

2011-06-04 04:19 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-04 04:19 . 2011-06-04 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-04 04:19 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2005-12-26 15:32 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2001-12-03 23:09 . 2011-01-04 22:17 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-08-18 340520]

.

c:\documents and settings\Tim\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled

backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]

2006-05-02 22:48 14848 ----a-w- c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NCUpdateSvc"=2 (0x2)

"a2free"=2 (0x2)

"mnmsrvc"=3 (0x3)

"Fax"=2 (0x2)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"=

.

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880]

R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]

S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?]

S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?]

S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://geo.craigslist.org/iso/us/la

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en

IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm

Trusted Zone: construction.com

Trusted Zone: constructionvaults.com

Trusted Zone: isqft.com\www

Trusted Zone: lrplot.com

TCP: DhcpNameServer = 192.168.1.254

DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://pdm3.lrplot.com/RAC/PDMSubTheme/FileDownload/FileDownloader2.cab

FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\

FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

.

------- File Associations -------

.

.scr=DWGTrueViewScriptFile

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKLM-Run-POINTER - point32.exe

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

AddRemove-HijackThis - c:\tmhijkt\HijackThis.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\play\Play Software\DivX\DivXCodecUninstall.exe

.

.

.

**************************************************************************

.

disk not found C:\

.

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1668)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

- - - - - - - > 'explorer.exe'(3788)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

c:\windows\system32\Ati2evxx.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\windows\system32\rundll32.exe

c:\windows\eHome\ehmsas.exe

c:\program files\Microsoft Hardware\Mouse\point32.exe

c:\pc calm\SpywareGuard\sgbhp.exe

.

**************************************************************************

.

Completion time: 2011-06-16 18:06:39 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-16 23:06

.

Pre-Run: 6,737,469,440 bytes free

Post-Run: 6,929,915,904 bytes free

.

- - End Of File - - 2EBBF60480A77CCA7A82044B230D80CA"

Second ComboFix log:

"ComboFix 11-06-17.04 - Tim 06/18/2011 11:54:48.3.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.817 [GMT -5:00]

Running from: c:\downloads\ComboFix.exe

AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))

.

.

2011-06-18 16:39 . 2011-06-18 16:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-06-18 03:23 . 2011-06-18 03:24 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-06-18 03:14 . 2011-06-18 04:03 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-18 03:14 . 2011-06-18 03:14 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-18 03:10 . 2011-06-18 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-06-15 18:58 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-04 04:19 . 2011-06-04 04:19 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes

2011-06-04 04:19 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-04 04:19 . 2011-06-04 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-04 04:19 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2005-12-26 15:32 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2001-12-03 23:09 . 2011-01-04 22:17 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-06-18 6544192]

.

c:\documents and settings\Tim\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled

backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]

2006-05-02 22:48 14848 ----a-w- c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NCUpdateSvc"=2 (0x2)

"a2free"=2 (0x2)

"mnmsrvc"=3 (0x3)

"Fax"=2 (0x2)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"=

.

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880]

S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]

S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272]

S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]

S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?]

S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?]

S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en

Trusted Zone: construction.com

Trusted Zone: constructionvaults.com

Trusted Zone: isqft.com\www

Trusted Zone: lrplot.com

DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://pdm3.lrplot.com/RAC/PDMSubTheme/FileDownload/FileDownloader2.cab

FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\

FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

.

------- File Associations -------

.

.scr=DWGTrueViewScriptFile

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-HijackThis - c:\pc calm\TMHIJKT\HijackThis.exe

.

.

.

**************************************************************************

.

disk not found C:\

.

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(236)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

- - - - - - - > 'explorer.exe'(1000)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

.

**************************************************************************

.

Completion time: 2011-06-18 12:14:36 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-18 17:14

.

Pre-Run: 11,551,547,392 bytes free

Post-Run: 11,486,167,040 bytes free

.

- - End Of File - - 057FE52EBCD02FC66D389B8B98E6E4E8"

Third ComboFix log:

"ComboFix 11-06-17.04 - Tim 06/18/2011 12:54:25.4.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.815 [GMT -5:00]

Running from: c:\downloads\cfaks.exe

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))

.

.

2011-06-18 16:39 . 2011-06-18 16:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-06-18 03:23 . 2011-06-18 03:24 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-06-18 03:14 . 2011-06-18 17:19 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-18 03:14 . 2011-06-18 03:14 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-18 03:10 . 2011-06-18 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-06-15 18:58 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-04 04:19 . 2011-06-04 04:19 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes

2011-06-04 04:19 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-04 04:19 . 2011-06-04 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-04 04:19 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2005-12-26 15:32 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2001-12-03 23:09 . 2011-01-04 22:17 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-06-18 6544192]

.

c:\documents and settings\Tim\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled

backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]

2006-05-02 22:48 14848 ----a-w- c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NCUpdateSvc"=2 (0x2)

"a2free"=2 (0x2)

"mnmsrvc"=3 (0x3)

"Fax"=2 (0x2)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"=

.

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880]

S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]

S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272]

S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]

S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?]

S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?]

S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en

Trusted Zone: construction.com

Trusted Zone: constructionvaults.com

Trusted Zone: isqft.com\www

Trusted Zone: lrplot.com

DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://pdm3.lrplot.com/RAC/PDMSubTheme/FileDownload/FileDownloader2.cab

FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\

FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

.

------- File Associations -------

.

.scr=DWGTrueViewScriptFile

.

.

**************************************************************************

.

disk not found C:\

.

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(236)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

- - - - - - - > 'explorer.exe'(924)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

.

**************************************************************************

.

Completion time: 2011-06-18 13:13:17 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-18 18:13

.

Pre-Run: 11,542,495,232 bytes free

Post-Run: 11,473,387,520 bytes free

.

- - End Of File - - E30D9A3B3F331C0B7C0A2291D600FE0A"

Thank you very much.

ss10000

Link to post
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Hello and :welcome:

Unfortunately you have a nasty rootkit on your computer. Before starting to clean it, read the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Thank you Elise and Larry. Here are the log from TDSS killer and GooredFix. By the way, I forgot to mention that I ran TDSS Killer a couple of times before I posted the last SOS. TDSS Killer couldn't extract all files at normal mode, but did run in safe mode. After reading your help response, I downloaded TDSSKiller again. It runs smoothly this time.

TDSS Killer-----

2011/06/21 16:24:51.0505 0720 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15

2011/06/21 16:24:52.0427 0720 ================================================================================

2011/06/21 16:24:52.0427 0720 SystemInfo:

2011/06/21 16:24:52.0427 0720

2011/06/21 16:24:52.0427 0720 OS Version: 5.1.2600 ServicePack: 3.0

2011/06/21 16:24:52.0427 0720 Product type: Workstation

2011/06/21 16:24:52.0427 0720 ComputerName: DDTPK291

2011/06/21 16:24:52.0427 0720 UserName: Tim

2011/06/21 16:24:52.0427 0720 Windows directory: C:\WINDOWS

2011/06/21 16:24:52.0427 0720 System windows directory: C:\WINDOWS

2011/06/21 16:24:52.0427 0720 Processor architecture: Intel x86

2011/06/21 16:24:52.0458 0720 Number of processors: 1

2011/06/21 16:24:52.0458 0720 Page size: 0x1000

2011/06/21 16:24:52.0458 0720 Boot type: Normal boot

2011/06/21 16:24:52.0458 0720 ================================================================================

2011/06/21 16:24:54.0770 0720 Initialize success

2011/06/21 16:24:56.0192 3068 ================================================================================

2011/06/21 16:24:56.0192 3068 Scan started

2011/06/21 16:24:56.0192 3068 Mode: Manual;

2011/06/21 16:24:56.0192 3068 ================================================================================

2011/06/21 16:25:01.0379 3068 MBR (0x1B8) (26a7678d74601d9e9e1d0fdca657d315) \Device\Harddisk0\DR0

2011/06/21 16:25:01.0394 3068 ================================================================================

2011/06/21 16:25:01.0394 3068 Scan finished

2011/06/21 16:25:01.0394 3068 ================================================================================

2011/06/21 16:25:01.0410 3496 Detected object count: 0

2011/06/21 16:25:01.0410 3496 Actual detected object count: 0

GooredFix-----

GooredFix by jpshortstuff (03.07.10.1)

Log created at 16:22 on 21/06/2011 (Tim)

Firefox version 4.0.1 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

(none)

C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\extensions\

foxmarks@kei.com [17:46 22/12/2010]

moveplayer@movenetworks.com [00:55 07/09/2008]

{02450954-cdd9-410f-b1da-db804e18c671} [00:52 30/12/2010]

{20a82645-c095-46ed-80e3-08825760534b} [21:48 26/05/2010]

{9c0a1a70-0e03-11da-8bde-f66bad1e3f3a} [01:10 17/08/2009]

{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3} [11:53 26/05/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [04:59 08/08/2009]

-=E.O.F=-

Link to post
Share on other sites

Thank you very much. Here it is.

ComboFix 11-06-22.01 - Tim 06/22/2011 14:26:29.5.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.816 [GMT -5:00]

Running from: c:\downloads\cfaks.exe

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))

.

.

2011-06-22 18:56 . 2011-06-22 18:57 -------- d-----w- C:\cfaks

2011-06-18 16:39 . 2011-06-18 16:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-06-18 03:14 . 2011-06-22 18:46 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-18 03:14 . 2011-06-18 03:14 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-18 03:10 . 2011-06-18 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-06-15 18:58 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-04 04:19 . 2011-06-04 04:19 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes

2011-06-04 04:19 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-04 04:19 . 2011-06-04 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-04 04:19 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2005-12-26 15:32 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2001-12-03 23:09 . 2011-01-04 22:17 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-06-21 6556992]

.

c:\documents and settings\Tim\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled

backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]

2006-05-02 22:48 14848 ----a-w- c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NCUpdateSvc"=2 (0x2)

"a2free"=2 (0x2)

"mnmsrvc"=3 (0x3)

"Fax"=2 (0x2)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"=

.

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880]

S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]

S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272]

S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]

S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?]

S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?]

S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en

Trusted Zone: construction.com

Trusted Zone: constructionvaults.com

Trusted Zone: isqft.com\www

Trusted Zone: lrplot.com

DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://gootee.constructionvaults.com/PDMSubTheme/FileDownload/FileDownloader2.cab

FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\

FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

.

------- File Associations -------

.

.scr=DWGTrueViewScriptFile

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-HijackThis - c:\pc calm\TMHIJKT\HijackThis.exe

.

.

.

**************************************************************************

.

disk not found C:\

.

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(232)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

- - - - - - - > 'explorer.exe'(1348)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2011-06-22 14:39:19

ComboFix-quarantined-files.txt 2011-06-22 19:39

.

Pre-Run: 10,862,080,000 bytes free

Post-Run: 10,852,257,792 bytes free

.

- - End Of File - - 1424E75C5ACFB66AFA2AD771C51971B7

Link to post
Share on other sites

Lets take a different approach here; TDSSkiller says nothing there, Combofix says rootkit, so lets actually look at the MBR.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:
    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Link to post
Share on other sites

That is why I want to have a look at the Master Boot Record of your drive. Because that is taken outside Windows, there is no way it can be faked.

Usually TDSSkiller is pretty good at detecting this infection, so if it finds nothing, I'm tending to believe it and say Combofix detects a false positive (especially since it doesn't appear to be able to scan the MBR at all). However, to be sure, I need to see the dump.

Link to post
Share on other sites

Thank you Elise. But you told me to download "GETxPUD.exe" to the desktop of a "clean" computer. When you say "clean", do you mean any computer other than the one we are trying to fix? Because it is difficult to tell whether a computer is really clean or not unless it is brand new. What should I do to make sure that I don't download to another computer that is not "clean" either?

Thank you.

ss10000

Link to post
Share on other sites

I have tried 5 times. The first two trials get response "1+0 records in, 1+0 records out". The next three trials get response "dd: can't open 'mbr.bin': No space left on device"

I copy those files for cd burning onto usb. They occupy 64 mb. I deleted them for more zpace, but it doesn't help. But I have 2 GB on the USB! I do find a file named mbr of 0 byte on the USB. I have deleted it.

Thanks.

ss10000

Link to post
Share on other sites

Hi, no problem, thank you for letting me know! :)

I usually open this type of file with a hex editor (HxD Hex Editor in my case), however, in order to verify whether or not it is infected, a simple upload to sites like VirusTotal usually is enough.

Link to post
Share on other sites

The computer is running as usual. Because of all the efforts we put into it. Let me list abnormalities I used to ignore.

Firstly, Firefox 4 doesn't run smoothly. Firefox 3 ran well. I noticed the difference just a while after I upgraded in April.

Secondly, When I was checking and burning CD yesterday, Windows cannot get correct reading on the CD capacity. I click on the drive name and select PROPERTY. It tells me impossibly small numbers.

Have a wonderful holiday, Elise.

ss10000

Link to post
Share on other sites

It reads new CD at 702 MB.But it reads used CDs, which are either full or half full, at something like 27 MB used, 0 MB available or 79.2 MB used, 0 MB available, etc.

I am to try FF5.

Do you actually enjoy computer much better than anything else? It looks more like your leisure than work. Thank you for your time.

ss10000

Link to post
Share on other sites

I think the problem is with my computer instead of the CD. Because I have tried multiple CDs. I will try safe mode.

But my purpose of raising the CD thing is to make sure it isn't due to any malware but malfunction of Microsoft. I will leave it alone if it doesn't affect other functions.

I have another unexplained suspicion. The hard drive light frequently turns on and I can hear the spinning of the hard drive when I am not running any serious application. This kind of thing usually happens after I am on the internet for a while, like reading emails and news. I suspect some program working at the background.

Thank you very much.

ss10000

Link to post
Share on other sites

I can control/alt/delete. I don't remember the percentage but seems not much. It starts with a peak and die down very quickly, so I guess the peak is for the startup of the task manager. I hope I can have a chance to compare the percentages before and after I cut off the wireless on my laptop. That may be more helpful.

ss10000

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.