Other > Viruses and worms

TDL 4. Is it there or a misread by ComboFix?

<< < (5/11) > >>

DavidR:

--- Quote from: com155 on July 22, 2011, 10:50:07 AM ---@darth mikey
oh i just wanted say to him not to throw tools that dont solve the problem :'( :'(i will report u for harrassing!!!

--- End quote ---

This is what you do all the time and what we are constantly telling you not to do, you aren't being harassed you are being educated. But you just don't get it.

Here you are a) complaining about what you do and b) you are wrong about aswMBR, it can detect TDL4 rootkits as the image (see below) shows and depending on the circumstances fix them. So it can in this case be used for analysis also to conform or deny the presence of a TDL4 rootkit. However this one needs more care and attention as the system is an HP one and fixing the MBR could mean the user can no longer access the HP recovery partition/recovery console.

[TDL4] **ROOTKIT** found:


By all means report this and the others that you feel have harassed you as all it will do is bring you directly into contact with the moderators and show your experience levels. Who knows it may result in another spell of absence.

ss10000:
Obviously, somebody took over before I could post my log (:

aswMBR log--
aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-22 21:27:26
-----------------------------
21:27:26.062    OS Version: Windows 5.1.2600 Service Pack 3
21:27:26.062    Number of processors: 1 586 0xD08
21:27:26.062    ComputerName: DDTPK291  UserName: Tim
21:27:47.578    Initialize success
21:36:07.125    AVAST engine defs: 11072201
21:36:40.968    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:36:40.968    Disk 0 Vendor: Hitachi_HTS541060G9AT00 MB3OA61A Size: 57231MB BusType: 3
21:36:40.984    Disk 0 MBR read successfully
21:36:40.984    Disk 0 MBR scan
21:36:41.078    Disk 0 unknown MBR code
21:36:41.078    Disk 0 scanning sectors +117194175
21:36:41.171    Disk 0 scanning C:\WINDOWS\system32\drivers
21:37:43.265    Service scanning
21:37:49.765    Modules scanning
21:38:00.859    Disk 0 trace - called modules:
21:38:00.890    ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:38:00.890    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87360ab8]
21:38:00.890    3 CLASSPNP.SYS[f761bfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87355940]
21:38:02.250    AVAST engine scan C:\WINDOWS
21:38:15.953    AVAST engine scan C:\WINDOWS\system32
21:47:44.828    AVAST engine scan C:\WINDOWS\system32\drivers
21:48:45.046    AVAST engine scan C:\Documents and Settings\Tim
21:56:13.843    AVAST engine scan C:\Documents and Settings\All Users
22:14:23.953    Scan finished successfully
22:17:54.546    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tim\Desktop\MBR.dat"
22:17:54.562    The log file has been saved successfully to "C:\Documents and Settings\Tim\Desktop\aswMBR.txt"


Thank you.

ss10000

com155:
will take care....certainly i feel the need of improvement.....i will come back to malware removal job on the forums after i am finished with my training... ;) ;) ;) ;) till then will stay with my job of malware removal at india....... ;D

ss10000:
Here is the combofix log just generated. I have to send two posts because the log is over 10000 words long. Here is the first part of the log--

ComboFix 11-07-22.02 - Tim 07/22/2011  22:39:49.6.1 - x86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.815 [GMT -5:00]
Running from: c:\downloads\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\sv.ini
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
(((((((((((((((((((((((((   Files Created from 2011-06-23 to 2011-07-23  )))))))))))))))))))))))))))))))
.
.
2011-07-02 16:03 . 2011-07-02 16:03   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-22 22:04 . 2011-06-18 03:14   21064   ----a-w-   c:\windows\system32\drivers\hitmanpro35.sys
2011-06-02 17:53 . 2011-06-02 17:53   94208   ----a-w-   c:\windows\system32\dpl100.dll
2011-06-02 14:02 . 2005-08-16 10:18   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-05-29 14:11 . 2011-06-04 04:19   39984   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2011-06-04 04:19   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-08-16 10:40   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2005-08-16 10:18   151552   ----a-w-   c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2005-12-26 15:32   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2005-08-16 10:18   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2005-08-16 10:18   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-04-25 16:11 . 2005-08-16 10:18   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2005-08-16 10:18   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2005-08-16 10:18   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2005-08-16 10:18   385024   ----a-w-   c:\windows\system32\html.iec
2001-12-03 23:09 . 2011-01-04 22:17   90112   ----a-w-   c:\program files\internet explorer\plugins\DjVuControl.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-06-22_19.36.13   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-12-14 07:08 . 2010-12-09 14:30   33280              c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2011-04-26 11:07   33280              c:\windows\system32\dllcache\csrsrv.dll
- 2006-01-10 05:50 . 2011-06-17 02:59   6162              c:\windows\system32\KGyGaAvL.sys
+ 2006-01-10 05:50 . 2011-06-23 17:08   6162              c:\windows\system32\KGyGaAvL.sys
+ 2011-07-02 16:03 . 2011-07-02 16:03   243360              c:\windows\system32\Macromed\Flash\FlashUtil10u_Plugin.exe
+ 2005-08-16 10:27 . 2011-07-13 14:40   337848              c:\windows\system32\FNTCACHE.DAT
- 2005-08-16 10:27 . 2011-04-13 18:19   337848              c:\windows\system32\FNTCACHE.DAT
- 2010-06-18 17:45 . 2010-06-18 17:45   293376              c:\windows\system32\dllcache\winsrv.dll
+ 2010-06-18 17:45 . 2011-04-26 11:07   293376              c:\windows\system32\dllcache\winsrv.dll
+ 2008-12-05 06:54 . 2011-04-29 17:25   151552              c:\windows\system32\dllcache\schannel.dll
+ 2010-01-27 01:07 . 2011-07-02 16:03   6271648              c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-16 13:17 . 2011-06-02 14:02   1858944              c:\windows\system32\dllcache\win32k.sys
+ 2006-01-05 19:36 . 2011-07-13 14:21   49089992              c:\windows\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.

ss10000:
This is the second part--

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-07-15 6619456]
.
c:\documents and settings\Tim\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08   110592   ----a-w-   c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
2006-05-02 22:48   14848   ----a-w-   c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NCUpdateSvc"=2 (0x2)
"a2free"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe"  -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"=
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?]
S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?]
S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
Trusted Zone: construction.com
Trusted Zone: constructionvaults.com
Trusted Zone: isqft.com\www
Trusted Zone: lrplot.com
DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://gootee.constructionvaults.com/PDMSubTheme/FileDownload/FileDownloader2.cab
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\
FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(236)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2011-07-22  22:52:35
ComboFix-quarantined-files.txt  2011-07-23 03:52
.
Pre-Run: 8,517,734,400 bytes free
Post-Run: 8,605,675,520 bytes free
.
- - End Of File - - 9D28758DA866EF69626E8A6D86959706

Thank you very much.

ss10000

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version