TDL 4. Is it there or a misread by ComboFix?

[com155]

i certainly.... ....sorry and thanks for that info.....another suggestion that was needed for a malware remover...thanks!!!

[Pondus]

you say you are training at Bleepingcomputer!

then maybe you should look at this TDL4 remowal from Bleepingcomputer......using aswMBR   
http://www.bleepingcomputer.com/forums/topic390804.html

[Hard_ROCKER]

If he is indeed training at bleepingcomputer or geekstogo then he really needs to read their rules because they do not allow their trainees to provide malware removal advice before they've completed their training.  

[com155]

sorry will keep a note....."note:aswmbr removed tdl4 rootkits."Hmmmm....

[magna86]

@com155
I warned you to do not use tools if you do not know how to use them.
Know this:
aswMBR is able to detect known TDL4 and known & and unknown sectors infection known us MBR rootkit.

also prease read:

ComboFix detected TDL4

@ss10000
You should follow my instructions. I asked for Combofix reports.
If you ran TDSSKiller you should attach report.

My guess is that you no longer have google redirections...
If you have google redirects follow my instructions:
If you dont have google redirect please remove the malware removal tools!


Start >> Run

Code: [Select]

Combofix /UninstallEnter

also:
http://forums.majorgeeks.com/showthread.php?t=31668

[DavidR]

@darth mikey
oh i just wanted say to him not to throw tools that dont solve the problem :'( :'(i will report u for harrassing!!!

This is what you do all the time and what we are constantly telling you not to do, you aren't being harassed you are being educated. But you just don't get it.

Here you are a) complaining about what you do and b) you are wrong about aswMBR, it can detect TDL4 rootkits as the image (see below) shows and depending on the circumstances fix them. So it can in this case be used for analysis also to conform or deny the presence of a TDL4 rootkit. However this one needs more care and attention as the system is an HP one and fixing the MBR could mean the user can no longer access the HP recovery partition/recovery console.

[TDL4] **ROOTKIT** found:


By all means report this and the others that you feel have harassed you as all it will do is bring you directly into contact with the moderators and show your experience levels. Who knows it may result in another spell of absence.

[ss10000]

Obviously, somebody took over before I could post my log (:

aswMBR log--
aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-22 21:27:26
-----------------------------
21:27:26.062    OS Version: Windows 5.1.2600 Service Pack 3
21:27:26.062    Number of processors: 1 586 0xD08
21:27:26.062    ComputerName: DDTPK291  UserName: Tim
21:27:47.578    Initialize success
21:36:07.125    AVAST engine defs: 11072201
21:36:40.968    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:36:40.968    Disk 0 Vendor: Hitachi_HTS541060G9AT00 MB3OA61A Size: 57231MB BusType: 3
21:36:40.984    Disk 0 MBR read successfully
21:36:40.984    Disk 0 MBR scan
21:36:41.078    Disk 0 unknown MBR code
21:36:41.078    Disk 0 scanning sectors +117194175
21:36:41.171    Disk 0 scanning C:\WINDOWS\system32\drivers
21:37:43.265    Service scanning
21:37:49.765    Modules scanning
21:38:00.859    Disk 0 trace - called modules:
21:38:00.890    ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:38:00.890    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87360ab8]
21:38:00.890    3 CLASSPNP.SYS[f761bfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87355940]
21:38:02.250    AVAST engine scan C:\WINDOWS
21:38:15.953    AVAST engine scan C:\WINDOWS\system32
21:47:44.828    AVAST engine scan C:\WINDOWS\system32\drivers
21:48:45.046    AVAST engine scan C:\Documents and Settings\Tim
21:56:13.843    AVAST engine scan C:\Documents and Settings\All Users
22:14:23.953    Scan finished successfully
22:17:54.546    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tim\Desktop\MBR.dat"
22:17:54.562    The log file has been saved successfully to "C:\Documents and Settings\Tim\Desktop\aswMBR.txt"


Thank you.

ss10000

[com155]

will take care....certainly i feel the need of improvement.....i will come back to malware removal job on the forums after i am finished with my training... till then will stay with my job of malware removal at india.......

[ss10000]

Here is the combofix log just generated. I have to send two posts because the log is over 10000 words long. Here is the first part of the log--

ComboFix 11-07-22.02 - Tim 07/22/2011  22:39:49.6.1 - x86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.815 [GMT -5:00]
Running from: c:\downloads\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\sv.ini
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
(((((((((((((((((((((((((   Files Created from 2011-06-23 to 2011-07-23  )))))))))))))))))))))))))))))))
.
.
2011-07-02 16:03 . 2011-07-02 16:03   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-22 22:04 . 2011-06-18 03:14   21064   ----a-w-   c:\windows\system32\drivers\hitmanpro35.sys
2011-06-02 17:53 . 2011-06-02 17:53   94208   ----a-w-   c:\windows\system32\dpl100.dll
2011-06-02 14:02 . 2005-08-16 10:18   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-05-29 14:11 . 2011-06-04 04:19   39984   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2011-06-04 04:19   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-08-16 10:40   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2005-08-16 10:18   151552   ----a-w-   c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2005-12-26 15:32   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2005-08-16 10:18   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2005-08-16 10:18   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-04-25 16:11 . 2005-08-16 10:18   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2005-08-16 10:18   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2005-08-16 10:18   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2005-08-16 10:18   385024   ----a-w-   c:\windows\system32\html.iec
2001-12-03 23:09 . 2011-01-04 22:17   90112   ----a-w-   c:\program files\internet explorer\plugins\DjVuControl.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-06-22_19.36.13   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-12-14 07:08 . 2010-12-09 14:30   33280              c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2011-04-26 11:07   33280              c:\windows\system32\dllcache\csrsrv.dll
- 2006-01-10 05:50 . 2011-06-17 02:59   6162              c:\windows\system32\KGyGaAvL.sys
+ 2006-01-10 05:50 . 2011-06-23 17:08   6162              c:\windows\system32\KGyGaAvL.sys
+ 2011-07-02 16:03 . 2011-07-02 16:03   243360              c:\windows\system32\Macromed\Flash\FlashUtil10u_Plugin.exe
+ 2005-08-16 10:27 . 2011-07-13 14:40   337848              c:\windows\system32\FNTCACHE.DAT
- 2005-08-16 10:27 . 2011-04-13 18:19   337848              c:\windows\system32\FNTCACHE.DAT
- 2010-06-18 17:45 . 2010-06-18 17:45   293376              c:\windows\system32\dllcache\winsrv.dll
+ 2010-06-18 17:45 . 2011-04-26 11:07   293376              c:\windows\system32\dllcache\winsrv.dll
+ 2008-12-05 06:54 . 2011-04-29 17:25   151552              c:\windows\system32\dllcache\schannel.dll
+ 2010-01-27 01:07 . 2011-07-02 16:03   6271648              c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-16 13:17 . 2011-06-02 14:02   1858944              c:\windows\system32\dllcache\win32k.sys
+ 2006-01-05 19:36 . 2011-07-13 14:21   49089992              c:\windows\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.

[ss10000]

This is the second part--

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-07-15 6619456]
.
c:\documents and settings\Tim\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08   110592   ----a-w-   c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
2006-05-02 22:48   14848   ----a-w-   c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NCUpdateSvc"=2 (0x2)
"a2free"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe"  -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"=
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?]
S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?]
S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
Trusted Zone: construction.com
Trusted Zone: constructionvaults.com
Trusted Zone: isqft.com\www
Trusted Zone: lrplot.com
DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://gootee.constructionvaults.com/PDMSubTheme/FileDownload/FileDownloader2.cab
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\
FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(236)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2011-07-22  22:52:35
ComboFix-quarantined-files.txt  2011-07-23 03:52
.
Pre-Run: 8,517,734,400 bytes free
Post-Run: 8,605,675,520 bytes free
.
- - End Of File - - 9D28758DA866EF69626E8A6D86959706

Thank you very much.

ss10000

[com155]

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

i think combofix has fixed the bootkit...

[ss10000]

The problem is that ComboFix keeps finding and fixing TDL4 whenever it is run.

[essexboy]

Hi there this may be the new variant - which is a tad sneaky

Download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

THEN

A second run so that I can test out the MBR

Run MBRCheck.exe once again.

You will be presented with the following dialog:

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Enter Y and press Enter.

The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Enter 1 and press Enter

The following dialog will be presented:

Enter the physical disk number to fix (0-99, -1 to cancel):

Enter 0 and press Enter

The program will ask for the file name to dump to, type dump.txt and Press Enter. You should see a Dumped successfully message. Type -1 and press Enter twice to exit the program. Save the dump.dat file to your desktop.

[color="#800080"]
[size="3"]Step 2:[/size]
[/color]
Please attach the dump.txt file to your next post.

[ss10000]

When I ran aswMBR, it has a button 'fix mbr'. I didn't click on it because I wasn't told to. I just posted the log. Should I run aswMBR again and click the button?

Thank you.

ss10000

[essexboy]

No because I will first need a look at the MBR

If you could run MBRCheck.exe and then I will be able to determine the next course