Avast WEBforum
Other => Viruses and worms => Topic started by: ss10000 on July 15, 2011, 10:13:20 PM
-
ComboFix detected TDL4 as long as the second run (the reboot to fix TDL4) was in safe mode. It couldn't finish its second run in nomal mode. But TDSSKiller cannot detect it. Hitman detected MBO.exe trojan, but cannot delete it. I deleted it manually, but another file MBO without .exe came back after reboot.
Somebody asked me to upload master boot file and told me that was normal and combofix misread.
My PC cannot read the volumns of CDs correctly and somebody said the CDs may be culprit.
What do you think?
Thank you in advance.
ss10000
-
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
-
ComboFix detected TDL4 as long as the second run (the reboot to fix TDL4) was in safe mode.
Why did you ran Combofix? Have you read the warnings that Combofix was pop-up?
You should not run ComboFix unless you are specifically asked to by a helper.
> Please read this topic:
http://www.bleepingcomputer.com/forums/topic273628.html
also read:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
> then attach here logs:
C:\ComboFix.txt
C:\Qoobox\ComboFix-quarantined-files.txt
> also run aswMBR tool as instructed above.
-
Thank you very much. I was out of town over the weekend. I will follow your instructions and reply with log files. Thank you again.
ss10000
-
nothing is clearing up this.here is my log file.
aswMBR version 0.9.7.777 Copyright(c) 2011 AVAST Software
Run date: 2011-07-19 13:02:48
-----------------------------
13:02:48.781 OS Version: Windows 5.1.2600 Service Pack 2
13:02:48.781 Number of processors: 1 586 0x2F00
13:02:48.781 ComputerName: YOUR-55E5F9E3D2 UserName:
13:02:49.625 Initialize success
13:02:49.734 AVAST engine defs: 11070401
13:02:53.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
13:02:53.218 Disk 0 Vendor: ST3250823AS 3.03 Size: 238475MB BusType: 3
13:02:53.234 Disk 0 MBR read successfully
13:02:53.234 Disk 0 MBR scan
13:02:53.234 Disk 0 unknown MBR code
13:02:53.250 Disk 0 scanning sectors +488376000
13:02:53.328 Disk 0 scanning C:\WINDOWS\system32\drivers
13:02:59.671 Service scanning
13:03:00.859 Disk 0 trace - called modules:
13:03:00.859 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:03:00.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84bc8440]
13:03:00.859 3 CLASSPNP.SYS[f751105b] -> nt!IofCallDriver -> \Device\0000005d[0x84b74f18]
13:03:00.859 5 ACPI.sys[f73a7620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x84b2ad98]
13:03:01.468 AVAST engine scan C:\WINDOWS
13:03:11.750 AVAST engine scan C:\WINDOWS\system32
13:04:27.515 AVAST engine scan C:\WINDOWS\system32\drivers
13:04:36.687 AVAST engine scan C:\Documents and Settings\HP_Administrator.YOUR-55E5F9E3D2.001
13:05:25.640 AVAST engine scan C:\Documents and Settings\All Users
13:06:47.812 Scan finished successfully
13:06:57.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator.YOUR-55E5F9E3D2.001\Desktop\MBR.dat"
13:06:57.343 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator.YOUR-55E5F9E3D2.001\Desktop\aswMBR.txt"
-
@psw
First aswmbr is only meant for mbr rootkits and not for tdl4 do not throw tools when u dont know their use pls.
@ss10000
try removing the tdl4 rootkit via kaspersky tdss killer.
*]Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://support.kaspersky.com/images/support_new/2663-2-eng.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
(http://support.kaspersky.com/images/support_new/2663_3_en.png)
THEN
download mbam from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
post mbam and tdss logs on next comment.
-
@psw
First aswmbr is only meantt for mbr rootkits and not for tdl4 do nnot throw tools when u dont know their use pls.
@ump001
try removing the tdl4 rootkit via kaspersky tdss killer.
*]Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
Obviously YOU don't know aswMBR's use.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
THEN
download mbam from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
post mbam and tdss logs on next comment.
Obviously YOU don't know aswMBR's use.
Tdsskiller is used in cases of a TDL-3 infection btw.
-
@psw
here is the info that i was pointing out to u.tdsskiller is used for tdl4 and tdl3.Read it carefully.
http://support.kaspersky.com/viruses/solutions?qid=208280684
-
You are claiming that TDL4 doesn't infect the MBR ? Obviously it does and if you do a simple google search you will come to the same conclusion. It's time to report you to the mods *yet again*.
-
quote com155
First aswmbr is only meant for mbr rootkits and not for tdl4 do not throw tools when u dont know their use pls.
naaaaaa....you would never do that com155
and yes all this mumbo jumbo should be deleted...
-
@darth mikey
oh i just wanted say to him not to throw tools that dont solve the problem :'( :'(i will report u for harrassing!!!
-
@psw
here is the info that i was pointing out to u.tdsskiller is used for tdl4 and tdl3.Read it carefully.
http://support.kaspersky.com/viruses/solutions?qid=208280684
TDL-4 can be cured by aswMBR,no need to use tdsskiller.Only in cases of tdl-3 infections,tdsskiller is used,i repeat.
@Pondus
Mabo Jambo? ;D May i ask what "majo jambo" is? :)
-
well,case closed everybody is saying different things...all mambo jambo!!! ;D ;D ;D
"aswmbr" in the name "MBR"....better pay attention here!!!
-
if gmer removes tdl1 and tdl2 then tdsskiller kills tdl3 and tdl4...its understood even if it is not written there:http://support.kaspersky.com/viruses/solutions?qid=208280684
well,as i said case closed!!!
-
@darth mikey
oh i just wanted say to him not to throw tools that dont solve the problem :'( :'(i will report u for harrassing!!!
And you should follow that advice yourself, you obviously don't know wth you are posting. Besides my reply had nothing to do with that statement, i only pointed out that TDL4 does indeed infect the MBR and if you were such an expert as you claim to be you would already know that. It's quite obvious you don't know how aswmbr works and for what it is used for. Left123 already informed you that it is indeed used for TDL4 infections and you keep banging on that it is not when you are clearly mistaken. BTW the only mumbo jumbo that is posted here is by YOU, which is why you keep getting reported to the mods. Now please go ahead and report my post, the little good it will do you. ::)
well,case closed everybody is saying different things...all mambo jambo!!! ;D ;D ;D
"aswmbr" in the name "MBR"....better pay attention here!!!
What are you smoking, must be some strong stuff indeed ? ::) You are claiming that aswmbr is not used for cleaning TDL4 infections and the rest of us are telling you that it is. And again TDL4 DOES INDEED INFECT the MBR, why can't you get that through your thick skull ? As i already suggested to you, do a google search on TDL4 and you will come to the same conclusion. Now who needs to pay attention here huh ?
-
i certainly.... ;D ;D ;D....sorry and thanks for that info.....another suggestion that was needed for a malware remover...thanks!!! ;D ;D ;D
-
you say you are training at Bleepingcomputer!
then maybe you should look at this TDL4 remowal from Bleepingcomputer......using aswMBR ;)
http://www.bleepingcomputer.com/forums/topic390804.html
-
If he is indeed training at bleepingcomputer or geekstogo then he really needs to read their rules because they do not allow their trainees to provide malware removal advice before they've completed their training. ::)
-
sorry will keep a note....."note:aswmbr removed tdl4 rootkits."Hmmmm.... :(
-
@com155
I warned you to do not use tools if you do not know how to use them.
Know this:
aswMBR is able to detect known TDL4 and known & and unknown sectors infection known us MBR rootkit.
also prease read:
ComboFix detected TDL4
@ss10000
You should follow my instructions. I asked for Combofix reports.
If you ran TDSSKiller you should attach report.
My guess is that you no longer have google redirections...
If you have google redirects follow my instructions:
If you dont have google redirect please remove the malware removal tools!
Start >> Run
Combofix /Uninstall
Enter
also:
http://forums.majorgeeks.com/showthread.php?t=31668
-
@darth mikey
oh i just wanted say to him not to throw tools that dont solve the problem :'( :'(i will report u for harrassing!!!
This is what you do all the time and what we are constantly telling you not to do, you aren't being harassed you are being educated. But you just don't get it.
Here you are a) complaining about what you do and b) you are wrong about aswMBR, it can detect TDL4 rootkits as the image (see below) shows and depending on the circumstances fix them. So it can in this case be used for analysis also to conform or deny the presence of a TDL4 rootkit. However this one needs more care and attention as the system is an HP one and fixing the MBR could mean the user can no longer access the HP recovery partition/recovery console.
[TDL4] **ROOTKIT** found:
(http://public.avast.com/~gmerek/aswMBR3.png)
By all means report this and the others that you feel have harassed you as all it will do is bring you directly into contact with the moderators and show your experience levels. Who knows it may result in another spell of absence.
-
Obviously, somebody took over before I could post my log (:
aswMBR log--
aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-22 21:27:26
-----------------------------
21:27:26.062 OS Version: Windows 5.1.2600 Service Pack 3
21:27:26.062 Number of processors: 1 586 0xD08
21:27:26.062 ComputerName: DDTPK291 UserName: Tim
21:27:47.578 Initialize success
21:36:07.125 AVAST engine defs: 11072201
21:36:40.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:36:40.968 Disk 0 Vendor: Hitachi_HTS541060G9AT00 MB3OA61A Size: 57231MB BusType: 3
21:36:40.984 Disk 0 MBR read successfully
21:36:40.984 Disk 0 MBR scan
21:36:41.078 Disk 0 unknown MBR code
21:36:41.078 Disk 0 scanning sectors +117194175
21:36:41.171 Disk 0 scanning C:\WINDOWS\system32\drivers
21:37:43.265 Service scanning
21:37:49.765 Modules scanning
21:38:00.859 Disk 0 trace - called modules:
21:38:00.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:38:00.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87360ab8]
21:38:00.890 3 CLASSPNP.SYS[f761bfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87355940]
21:38:02.250 AVAST engine scan C:\WINDOWS
21:38:15.953 AVAST engine scan C:\WINDOWS\system32
21:47:44.828 AVAST engine scan C:\WINDOWS\system32\drivers
21:48:45.046 AVAST engine scan C:\Documents and Settings\Tim
21:56:13.843 AVAST engine scan C:\Documents and Settings\All Users
22:14:23.953 Scan finished successfully
22:17:54.546 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tim\Desktop\MBR.dat"
22:17:54.562 The log file has been saved successfully to "C:\Documents and Settings\Tim\Desktop\aswMBR.txt"
Thank you.
ss10000
-
will take care....certainly i feel the need of improvement.....i will come back to malware removal job on the forums after i am finished with my training... ;) ;) ;) ;) till then will stay with my job of malware removal at india....... ;D
-
Here is the combofix log just generated. I have to send two posts because the log is over 10000 words long. Here is the first part of the log--
ComboFix 11-07-22.02 - Tim 07/22/2011 22:39:49.6.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.815 [GMT -5:00]
Running from: c:\downloads\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\sv.ini
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-06-23 to 2011-07-23 )))))))))))))))))))))))))))))))
.
.
2011-07-02 16:03 . 2011-07-02 16:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-22 22:04 . 2011-06-18 03:14 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-06-02 14:02 . 2005-08-16 10:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 14:11 . 2011-06-04 04:19 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2011-06-04 04:19 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2005-08-16 10:18 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2005-12-26 15:32 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2005-08-16 10:18 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2005-08-16 10:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-25 16:11 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
2001-12-03 23:09 . 2011-01-04 22:17 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-22_19.36.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2006-01-10 05:50 . 2011-06-17 02:59 6162 c:\windows\system32\KGyGaAvL.sys
+ 2006-01-10 05:50 . 2011-06-23 17:08 6162 c:\windows\system32\KGyGaAvL.sys
+ 2011-07-02 16:03 . 2011-07-02 16:03 243360 c:\windows\system32\Macromed\Flash\FlashUtil10u_Plugin.exe
+ 2005-08-16 10:27 . 2011-07-13 14:40 337848 c:\windows\system32\FNTCACHE.DAT
- 2005-08-16 10:27 . 2011-04-13 18:19 337848 c:\windows\system32\FNTCACHE.DAT
- 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-06-18 17:45 . 2011-04-26 11:07 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
+ 2010-01-27 01:07 . 2011-07-02 16:03 6271648 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-16 13:17 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2006-01-05 19:36 . 2011-07-13 14:21 49089992 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
-
This is the second part--
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-07-15 6619456]
.
c:\documents and settings\Tim\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
2006-05-02 22:48 14848 ----a-w- c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NCUpdateSvc"=2 (0x2)
"a2free"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"=
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?]
S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?]
S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
Trusted Zone: construction.com
Trusted Zone: constructionvaults.com
Trusted Zone: isqft.com\www
Trusted Zone: lrplot.com
DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://gootee.constructionvaults.com/PDMSubTheme/FileDownload/FileDownloader2.cab
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\
FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(236)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2011-07-22 22:52:35
ComboFix-quarantined-files.txt 2011-07-23 03:52
.
Pre-Run: 8,517,734,400 bytes free
Post-Run: 8,605,675,520 bytes free
.
- - End Of File - - 9D28758DA866EF69626E8A6D86959706
Thank you very much.
ss10000
-
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
i think combofix has fixed the bootkit...
-
The problem is that ComboFix keeps finding and fixing TDL4 whenever it is run.
-
Hi there this may be the new variant - which is a tad sneaky
Download MBRCheck.exe (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe) to your Desktop. Run the application.
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
If an infection is found, you will be presented with the following dialog:
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
THEN
A second run so that I can test out the MBR
Run MBRCheck.exe once again.
You will be presented with the following dialog:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Enter Y and press Enter.
The following dialog will be presented:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:
Enter 1 and press Enter
The following dialog will be presented:
Enter the physical disk number to fix (0-99, -1 to cancel):
Enter 0 and press Enter
The program will ask for the file name to dump to, type dump.txt and Press Enter. You should see a Dumped successfully message. Type -1 and press Enter twice to exit the program. Save the dump.dat file to your desktop.
[color="#800080"]
[size="3"]Step 2:[/size]
[/color]
Please attach the dump.txt file to your next post.
-
When I ran aswMBR, it has a button 'fix mbr'. I didn't click on it because I wasn't told to. I just posted the log. Should I run aswMBR again and click the button?
Thank you.
ss10000
-
No because I will first need a look at the MBR
If you could run MBRCheck.exe and then I will be able to determine the next course
-
when I run mbrcheck, do I have to disable my a/v ?
-
Nope just run it ;D
-
1st part of the log from the 1st run--
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c
Kernel Drivers (total 160):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF7ADB000 \WINDOWS\system32\KDCOM.DLL
0xF79EB000 \WINDOWS\system32\BOOTVID.dll
0xF74AC000 ACPI.sys
0xF7ADD000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF749B000 pci.sys
0xF75DB000 isapnp.sys
0xF79EF000 compbatt.sys
0xF79F3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7BA3000 pciide.sys
0xF785B000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7ADF000 intelide.sys
0xF747D000 pcmcia.sys
0xF75EB000 MountMgr.sys
0xF745E000 ftdisk.sys
0xF7438000 dmio.sys
0xF7863000 PartMgr.sys
0xF75FB000 VolSnap.sys
0xF7420000 atapi.sys
0xF760B000 disk.sys
0xF761B000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7400000 fltmgr.sys
0xF73EE000 sr.sys
0xF73D9000 drvmcdb.sys
0xF762B000 PxHelp20.sys
0xF73C2000 KSecDD.sys
0xF7335000 Ntfs.sys
0xF7308000 NDIS.sys
0xF763B000 ohci1394.sys
0xF764B000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF72EE000 Mup.sys
0xF765B000 klbg.sys
0xF76BB000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF77DB000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF72A1000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF5DBA000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF5DA6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF79E3000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5D82000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77EB000 \SystemRoot\system32\DRIVERS\klfltdev.sys
0xF788B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF77FB000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF5D6E000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF5A5E000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF5A1B000 \SystemRoot\system32\drivers\STAC97.sys
0xF59F7000 \SystemRoot\system32\drivers\portcls.sys
0xF780B000 \SystemRoot\system32\drivers\drmk.sys
0xF59D4000 \SystemRoot\system32\drivers\ks.sys
0xF59A3000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF58A4000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF57FC000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF787B000 \SystemRoot\System32\Drivers\Modem.SYS
0xF781B000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF729D000 \SystemRoot\system32\DRIVERS\IPFilter.sys
0xF782B000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0xF7883000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7893000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF783B000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF784B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF6651000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF57BF000 \SystemRoot\system32\DRIVERS\iwca.sys
0xF6641000 \SystemRoot\system32\DRIVERS\klim5.sys
0xF7C94000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7B1F000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF6631000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7295000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF57A8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6621000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6611000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF789B000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5797000 \SystemRoot\system32\DRIVERS\psched.sys
0xF6601000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78A3000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78AB000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5767000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF65F1000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7B21000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5709000 \SystemRoot\system32\DRIVERS\update.sys
0xF5F1F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF78B3000 \SystemRoot\system32\DRIVERS\omci.sys
0xF65E1000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF767B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B29000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7AA3000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF78C3000 \SystemRoot\System32\Drivers\BTHUSB.sys
0xED67E000 \SystemRoot\System32\Drivers\bthport.sys
0xF7AA7000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF768B000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF78CB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7AAB000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF769B000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0xF78D3000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0xED59D000 \SystemRoot\system32\DRIVERS\bthpan.sys
0xED54C000 \SystemRoot\system32\DRIVERS\klif.sys
0xF7B2D000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF7B2F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C54000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B31000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78E3000 \SystemRoot\system32\drivers\ssrtln.sys
0xF78EB000 \SystemRoot\System32\drivers\vga.sys
0xF7B33000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B35000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78F3000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78FB000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7AB7000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xED00C000 \??\C:\WINDOWS\system32\drivers\kl1.sys
0xECFF9000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xECF78000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xECF50000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF72B1000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xECF2E000 \SystemRoot\System32\drivers\afd.sys
0xF76AB000 \SystemRoot\system32\DRIVERS\netbios.sys
0xECF03000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xECE93000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76EB000 \SystemRoot\System32\Drivers\Fips.SYS
0xECE6D000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xED6DD000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xF76FB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF770B000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xECB73000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xECB5B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B4B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xED6C1000 \SystemRoot\System32\drivers\Dxapi.sys
0xF790B000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xECBC5000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xBF391000 \SystemRoot\System32\ATMFD.DLL
0xF76CB000 \SystemRoot\system32\drivers\drvnddm.sys
0xF7C65000 \SystemRoot\system32\dla\tfsndres.sys
0xB86AA000 \SystemRoot\system32\dla\tfsnifs.sys
0xB8748000 \SystemRoot\system32\dla\tfsnopio.sys
0xF7B51000 \SystemRoot\system32\dla\tfsnpool.sys
0xF7913000 \SystemRoot\system32\dla\tfsnboio.sys
0xF76DB000 \SystemRoot\system32\dla\tfsncofs.sys
0xF7C66000 \SystemRoot\system32\dla\tfsndrct.sys
0xB8691000 \SystemRoot\system32\dla\tfsnudf.sys
0xB8678000 \SystemRoot\system32\dla\tfsnudfa.sys
0xB86CC000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xB86C8000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xB8584000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB856C000 \SystemRoot\SYSTEM32\Drivers\wg4n.sys
0xB8568000 \SystemRoot\SYSTEM32\Drivers\wg5n.sys
0xB8564000 \SystemRoot\SYSTEM32\Drivers\wg6n.sys
0xB832B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB8132000 \SystemRoot\System32\Drivers\HTTP.sys
0xB831F000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB80B2000 \SystemRoot\system32\DRIVERS\srv.sys
0xB7AAD000 \SystemRoot\system32\drivers\wdmaud.sys
0xB8638000 \SystemRoot\system32\drivers\sysaudio.sys
0xB7D2A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB83A0000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xB72B4000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
-
2nd part of the log from the 1st run--
Processes (total 47):
0 System Idle Process
4 System
1588 C:\WINDOWS\system32\smss.exe
1636 csrss.exe
1664 C:\WINDOWS\system32\winlogon.exe
1712 C:\WINDOWS\system32\services.exe
1724 C:\WINDOWS\system32\lsass.exe
1892 C:\WINDOWS\system32\ati2evxx.exe
1912 C:\WINDOWS\system32\svchost.exe
1992 svchost.exe
2036 C:\WINDOWS\system32\svchost.exe
176 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
316 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
360 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
600 svchost.exe
928 C:\WINDOWS\system32\spoolsv.exe
996 svchost.exe
1032 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
1052 svchost.exe
1092 C:\WINDOWS\ehome\ehrecvr.exe
1184 C:\WINDOWS\ehome\ehSched.exe
1268 C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
1384 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
884 svchost.exe
1780 C:\WINDOWS\system32\svchost.exe
460 mcrdsvc.exe
2100 wmiprvse.exe
2520 C:\WINDOWS\system32\dllhost.exe
2576 alg.exe
3544 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
3768 C:\WINDOWS\system32\ati2evxx.exe
3988 C:\WINDOWS\explorer.exe
1152 C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
2244 C:\WINDOWS\ehome\ehtray.exe
2296 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
2560 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
608 C:\Program Files\Dell\QuickSet\quickset.exe
1004 C:\WINDOWS\system32\dla\tfswctrl.exe
512 C:\WINDOWS\system32\rundll32.exe
1488 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
2796 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
1484 C:\WINDOWS\system32\ctfmon.exe
2496 C:\WINDOWS\ehome\ehmsas.exe
584 C:\PC Calm\SpywareGuard\sgmain.exe
3040 C:\PC Calm\SpywareGuard\sgbhp.exe
968 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
356 C:\Documents and Settings\Tim\Desktop\MBRCheck.exe
\\.\C: --> error 1
\\.\D: --> error 1
\\.\E: --> error 1
PhysicalDrive0 Model Number: HitachiHTS541060G9AT00, Rev: MB3OA61A
Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 693F9ADCDAC5860A7960F13D1FACD10AE3DDB257
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done!
-
log of the 2nd run, but I don't think it successful. Please advise.
ú¸ ŽÐ¼ |ûŽØü¹€ ‹ô¿ ŽÀóf¥ê/ °ùúæpë äq¨° ë æpû¿UuTèÉ ¿F´ÍtH= ‰uC´Í3ÛƇ¾ €¿ÂÛtƒÃƒû@rì¾bé Ƈ¾€Æ‡Â.Ç# ¸C †Ä²€¾ÍrÛ
äu×3Û3ÉŠ‡¾< t<€t¾”ëXA‹ëƒÃƒû@r侟 €ùuC¾s‹ÅÁè Dÿ×f‹†Æf.£'.Ç# |´B²€¾Í¾‹r
äu¾„ÿ×¾ª>þ}Uªuéùt¿Fÿ×´ Í͸ ͸ ¸ŽÀ3ÿ¸ ¹P ó«±¾V¿D ¬«âü´· º Í´†¹ º€„Íì< t ´» ÍëòÃÃwww.dell.comCannot restore
Loading PBR 1... done
failed
Bad flag
0 active
Bad PBR
ð†æ Þþ?? Éõ € þÿÿö Ùºe ÁÿÛþÿÿá°gÞŒ” Uª
-
ëòÃÃwww.dell.comCannot restore
OK you have a dell mbr so that is good
I am not quite sure why CF keeps finding the TDL4 as all other indications are that the MBR is clean
Could you delete your current copy of combofix, download and run a fresh one to see if it still reports it
-
Thank you Essexboy. I will download another ComboFix to check. But how do you read that 2nd run log? AswMBR also found "non-standard or infected MBR".
-
I actually took it from the MBR text dell.comCannot restore this means you have a non-standard Dell MBR so it will be reported as unknown
-
what does that dell thing mean?
Here is the 1st part of ComboFix log. The difference I have this time is that ComboFix runs in normal mode. It used to require safe mode.
ComboFix 11-07-29.01 - Tim 07/29/2011 12:48:24.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.525 [GMT -5:00]
Running from: c:\downloads\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-29 )))))))))))))))))))))))))))))))
.
.
2011-07-02 16:03 . 2011-07-02 16:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-29 13:36 . 2011-06-18 03:14 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-06-02 14:02 . 2005-08-16 10:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 14:11 . 2011-06-04 04:19 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2011-06-04 04:19 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2001-12-03 23:09 . 2011-01-04 22:17 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-22_19.36.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2005-08-16 10:18 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
- 2005-08-16 10:18 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
+ 2006-01-10 05:50 . 2011-07-23 19:03 6162 c:\windows\system32\KGyGaAvL.sys
- 2006-01-10 05:50 . 2011-06-17 02:59 6162 c:\windows\system32\KGyGaAvL.sys
+ 2005-08-16 10:18 . 2011-04-26 11:07 293376 c:\windows\system32\winsrv.dll
- 2005-08-16 10:18 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
+ 2005-08-16 10:18 . 2011-04-29 17:25 151552 c:\windows\system32\schannel.dll
+ 2011-07-02 16:03 . 2011-07-02 16:03 243360 c:\windows\system32\Macromed\Flash\FlashUtil10u_Plugin.exe
- 2005-08-16 10:27 . 2011-04-13 18:19 337848 c:\windows\system32\FNTCACHE.DAT
+ 2005-08-16 10:27 . 2011-07-13 14:40 337848 c:\windows\system32\FNTCACHE.DAT
+ 2010-06-18 17:45 . 2011-04-26 11:07 293376 c:\windows\system32\dllcache\winsrv.dll
- 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
+ 2010-01-27 01:07 . 2011-07-02 16:03 6271648 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-16 13:17 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2006-01-05 19:36 . 2011-07-13 14:21 49089992 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
-
Here is the second part of log.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-07-15 6619456]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-08-18 340520]
.
c:\documents and settings\Tim\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
2006-05-02 22:48 14848 ----a-w- c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NCUpdateSvc"=2 (0x2)
"a2free"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"=
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]
S3 cpuz134;cpuz134;\??\c:\docume~1\Tim\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Tim\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?]
S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?]
S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
Trusted Zone: construction.com
Trusted Zone: constructionvaults.com
Trusted Zone: isqft.com\www
Trusted Zone: lrplot.com
DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://gootee.constructionvaults.com/PDMSubTheme/FileDownload/FileDownloader2.cab
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\
FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-InstallShield_{64A77F14-0E08-4A97-A859-E93CFF428756} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{CC0E9D50-FA41-4514-B986-A9B2167B1F2D} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1604)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2011-07-29 13:01:53
ComboFix-quarantined-files.txt 2011-07-29 18:01
.
Pre-Run: 7,011,217,408 bytes free
Post-Run: 7,065,014,272 bytes free
.
- - End Of File - - 11EA58D2C99CF5B3A574CBF2E65D9E5F
-
Do you have a Dell computer ?
-
Yes.
-
That part enables the Dell recovery partition , alter the MBR and you will not be able to easilly access it
-
When you say "that part", what are you referring to?
Thanks.
ss10000
-
I believe essexboy is referring to the unknown MBR in the MBRCheck log (Reply #33 and #34 above):
\\.\PhysicalDrive0 Unknown MBR code
Since the Dell needs to be able to access its recovery partition/recovery console the actual MBR is a custom MBR 'e.g. unknown' rather than it being recognised as a Default Windows XP MBR code.
-
Correct, if your MBR was reset to standard then if you need to restore your computer to factory settings, it would fail as the necessary information would no longer exist
-
Can we conclude that there is no TDL4 on my computer and my computer is clean?
By the way, I am not aware of the recovery ability of Dell MBR. Do you know by chance how to use it?
I don't remember when but it did happen that I suddenly have two more local drives on my computer besides the C:\. The computer generated them on its own sometime after I had only one local drive for at least two years. Are they the recovery partition you talk about?
Thank you everyone.
ss10000
-
Taken from a Dell forum
you can access your Dell’s recovery partition by pressing Ctrl+F11 when the machine is first turned on. The appropriate time to do this is almost immediately after the power button is pressed. A small message is usually displayed that offers to let you enter the BIOS (usually F2 on newer Dells) or go to the boot menu (F8 or F10, I think; it displays the appropriate key to press).
So, assuming that the partition that the recovery image is saved to hasn’t been deleted for some reason, or that the master boot record hasn’t been altered from the factory settings then the Dell System Recovery software will load and you will be given the option to reimage your drive. Their software is basically just a rebranded version of Norton’s Ghost or some other similar imaging software.
Do keep in mind that if you decide to reimage your machine that all of the data that was on your hard drive will be lost. The machine will be exactly as it was when you first purchased it – meaning that any saved documents, movies, music, settings, programs installed by yourself, etc will be gone.
-
Thank you very much for all your help.
But can I do e-commerce on my computer now? Is it ok?
ss10000
-
As a matter of prudence I would recommend that you change all your sensitive passwords just in case they were gathered. Although I saw no indication of that
-
Thank you Essexboy and everybody who helps. Thank you very much.
ss10000