Author Topic: TDL 4. Is it there or a misread by ComboFix? (Read 23882 times)

ss10000 · « **Reply #30 on:** July 23, 2011, 05:43:04 PM »

when I run mbrcheck, do I have to disable my a/v ?

essexboy · « **Reply #31 on:** July 23, 2011, 05:44:29 PM »

Nope just run it

ss10000 · « **Reply #32 on:** July 27, 2011, 03:15:38 AM »

1st part of the log from the 1st run--

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Professional
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000003c

Kernel Drivers (total 160):
  0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
  0x806D1000 \WINDOWS\system32\hal.dll
  0xF7ADB000 \WINDOWS\system32\KDCOM.DLL
  0xF79EB000 \WINDOWS\system32\BOOTVID.dll
  0xF74AC000 ACPI.sys
  0xF7ADD000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xF749B000 pci.sys
  0xF75DB000 isapnp.sys
  0xF79EF000 compbatt.sys
  0xF79F3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
  0xF7BA3000 pciide.sys
  0xF785B000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xF7ADF000 intelide.sys
  0xF747D000 pcmcia.sys
  0xF75EB000 MountMgr.sys
  0xF745E000 ftdisk.sys
  0xF7438000 dmio.sys
  0xF7863000 PartMgr.sys
  0xF75FB000 VolSnap.sys
  0xF7420000 atapi.sys
  0xF760B000 disk.sys
  0xF761B000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xF7400000 fltmgr.sys
  0xF73EE000 sr.sys
  0xF73D9000 drvmcdb.sys
  0xF762B000 PxHelp20.sys
  0xF73C2000 KSecDD.sys
  0xF7335000 Ntfs.sys
  0xF7308000 NDIS.sys
  0xF763B000 ohci1394.sys
  0xF764B000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
  0xF72EE000 Mup.sys
  0xF765B000 klbg.sys
  0xF76BB000 \SystemRoot\system32\DRIVERS\nic1394.sys
  0xF77DB000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0xF72A1000 \SystemRoot\system32\DRIVERS\CmBatt.sys
  0xF5DBA000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
  0xF5DA6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xF79E3000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0xF5D82000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xF77EB000 \SystemRoot\system32\DRIVERS\klfltdev.sys
  0xF788B000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xF77FB000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
  0xF5D6E000 \SystemRoot\system32\DRIVERS\sdbus.sys
  0xF5A5E000 \SystemRoot\system32\DRIVERS\w29n51.sys
  0xF5A1B000 \SystemRoot\system32\drivers\STAC97.sys
  0xF59F7000 \SystemRoot\system32\drivers\portcls.sys
  0xF780B000 \SystemRoot\system32\drivers\drmk.sys
  0xF59D4000 \SystemRoot\system32\drivers\ks.sys
  0xF59A3000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
  0xF58A4000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
  0xF57FC000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
  0xF787B000 \SystemRoot\System32\Drivers\Modem.SYS
  0xF781B000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0xF729D000 \SystemRoot\system32\DRIVERS\IPFilter.sys
  0xF782B000 \SystemRoot\system32\DRIVERS\klmouflt.sys
  0xF7883000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xF7893000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xF783B000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xF784B000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xF6651000 \SystemRoot\system32\DRIVERS\redbook.sys
  0xF57BF000 \SystemRoot\system32\DRIVERS\iwca.sys
  0xF6641000 \SystemRoot\system32\DRIVERS\klim5.sys
  0xF7C94000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xF7B1F000 \SystemRoot\System32\Drivers\RootMdm.sys
  0xF6631000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0xF7295000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0xF57A8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0xF6621000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0xF6611000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0xF789B000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xF5797000 \SystemRoot\system32\DRIVERS\psched.sys
  0xF6601000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xF78A3000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xF78AB000 \SystemRoot\system32\DRIVERS\raspti.sys
  0xF5767000 \SystemRoot\system32\DRIVERS\rdpdr.sys
  0xF65F1000 \SystemRoot\system32\DRIVERS\termdd.sys
  0xF7B21000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xF5709000 \SystemRoot\system32\DRIVERS\update.sys
  0xF5F1F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xF78B3000 \SystemRoot\system32\DRIVERS\omci.sys
  0xF65E1000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xF767B000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xF7B29000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xF7AA3000 \SystemRoot\System32\Drivers\i2omgmt.SYS
  0xF78C3000 \SystemRoot\System32\Drivers\BTHUSB.sys
  0xED67E000 \SystemRoot\System32\Drivers\bthport.sys
  0xF7AA7000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0xF768B000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0xF78CB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0xF7AAB000 \SystemRoot\system32\DRIVERS\mouhid.sys
  0xF769B000 \SystemRoot\system32\DRIVERS\rfcomm.sys
  0xF78D3000 \SystemRoot\system32\DRIVERS\BthEnum.sys
  0xED59D000 \SystemRoot\system32\DRIVERS\bthpan.sys
  0xED54C000 \SystemRoot\system32\DRIVERS\klif.sys
  0xF7B2D000 \SystemRoot\system32\drivers\sscdbhk5.sys
  0xF7B2F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xF7C54000 \SystemRoot\System32\Drivers\Null.SYS
  0xF7B31000 \SystemRoot\System32\Drivers\Beep.SYS
  0xF78E3000 \SystemRoot\system32\drivers\ssrtln.sys
  0xF78EB000 \SystemRoot\System32\drivers\vga.sys
  0xF7B33000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xF7B35000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xF78F3000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xF78FB000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xF7AB7000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xED00C000 \??\C:\WINDOWS\system32\drivers\kl1.sys
  0xECFF9000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xECF78000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xECF50000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xF72B1000 \SystemRoot\System32\drivers\ws2ifsl.sys
  0xECF2E000 \SystemRoot\System32\drivers\afd.sys
  0xF76AB000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xECF03000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xECE93000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xF76EB000 \SystemRoot\System32\Drivers\Fips.SYS
  0xECE6D000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xED6DD000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
  0xF76FB000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xF770B000 \SystemRoot\system32\DRIVERS\arp1394.sys
  0xECB73000 \SystemRoot\System32\Drivers\Fastfat.SYS
  0xECB5B000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xF7B4B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xED6C1000 \SystemRoot\System32\drivers\Dxapi.sys
  0xF790B000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xECBC5000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF012000 \SystemRoot\System32\ati2dvag.dll
  0xBF049000 \SystemRoot\System32\ati2cqag.dll
  0xBF07D000 \SystemRoot\System32\atikvmag.dll
  0xBF0B2000 \SystemRoot\System32\ati3duag.dll
  0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
  0xBF391000 \SystemRoot\System32\ATMFD.DLL
  0xF76CB000 \SystemRoot\system32\drivers\drvnddm.sys
  0xF7C65000 \SystemRoot\system32\dla\tfsndres.sys
  0xB86AA000 \SystemRoot\system32\dla\tfsnifs.sys
  0xB8748000 \SystemRoot\system32\dla\tfsnopio.sys
  0xF7B51000 \SystemRoot\system32\dla\tfsnpool.sys
  0xF7913000 \SystemRoot\system32\dla\tfsnboio.sys
  0xF76DB000 \SystemRoot\system32\dla\tfsncofs.sys
  0xF7C66000 \SystemRoot\system32\dla\tfsndrct.sys
  0xB8691000 \SystemRoot\system32\dla\tfsnudf.sys
  0xB8678000 \SystemRoot\system32\dla\tfsnudfa.sys
  0xB86CC000 \SystemRoot\system32\DRIVERS\AegisP.sys
  0xB86C8000 \SystemRoot\system32\DRIVERS\s24trans.sys
  0xB8584000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xB856C000 \SystemRoot\SYSTEM32\Drivers\wg4n.sys
  0xB8568000 \SystemRoot\SYSTEM32\Drivers\wg5n.sys
  0xB8564000 \SystemRoot\SYSTEM32\Drivers\wg6n.sys
  0xB832B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xB8132000 \SystemRoot\System32\Drivers\HTTP.sys
  0xB831F000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0xB80B2000 \SystemRoot\system32\DRIVERS\srv.sys
  0xB7AAD000 \SystemRoot\system32\drivers\wdmaud.sys
  0xB8638000 \SystemRoot\system32\drivers\sysaudio.sys
  0xB7D2A000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xB83A0000 \SystemRoot\system32\DRIVERS\asyncmac.sys
  0xB72B4000 \SystemRoot\system32\drivers\kmixer.sys
  0x7C900000 \WINDOWS\system32\ntdll.dll

ss10000 · « **Reply #33 on:** July 27, 2011, 03:16:52 AM »

2nd part of the log from the 1st run--

Processes (total 47):
0 System Idle Process
4 System
1588 C:\WINDOWS\system32\smss.exe
1636 csrss.exe
1664 C:\WINDOWS\system32\winlogon.exe
1712 C:\WINDOWS\system32\services.exe
1724 C:\WINDOWS\system32\lsass.exe
1892 C:\WINDOWS\system32\ati2evxx.exe
1912 C:\WINDOWS\system32\svchost.exe
1992 svchost.exe
2036 C:\WINDOWS\system32\svchost.exe
176 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
316 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
360 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
600 svchost.exe
928 C:\WINDOWS\system32\spoolsv.exe
996 svchost.exe
1032 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
1052 svchost.exe
1092 C:\WINDOWS\ehome\ehrecvr.exe
1184 C:\WINDOWS\ehome\ehSched.exe
1268 C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
1384 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
884 svchost.exe
1780 C:\WINDOWS\system32\svchost.exe
460 mcrdsvc.exe
2100 wmiprvse.exe
2520 C:\WINDOWS\system32\dllhost.exe
2576 alg.exe
3544 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
3768 C:\WINDOWS\system32\ati2evxx.exe
3988 C:\WINDOWS\explorer.exe
1152 C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
2244 C:\WINDOWS\ehome\ehtray.exe
2296 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
2560 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
608 C:\Program Files\Dell\QuickSet\quickset.exe
1004 C:\WINDOWS\system32\dla\tfswctrl.exe
512 C:\WINDOWS\system32\rundll32.exe
1488 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
2796 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
1484 C:\WINDOWS\system32\ctfmon.exe
2496 C:\WINDOWS\ehome\ehmsas.exe
584 C:\PC Calm\SpywareGuard\sgmain.exe
3040 C:\PC Calm\SpywareGuard\sgbhp.exe
968 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
356 C:\Documents and Settings\Tim\Desktop\MBRCheck.exe

\\.\C: --> error 1
\\.\D: --> error 1
\\.\E: --> error 1

PhysicalDrive0 Model Number: HitachiHTS541060G9AT00, Rev: MB3OA61A

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 693F9ADCDAC5860A7960F13D1FACD10AE3DDB257

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

ss10000 · « **Reply #34 on:** July 27, 2011, 03:22:47 AM »

log of the 2nd run, but I don't think it successful. Please advise.

ú¸ ŽÐ¼ |ûŽØü¹€ ‹ô¿ ŽÀóf¥ê/ °ùúæpë äq¨° ë æpû¿UuTèÉ ¿F´ÍtH= ‰uC´Í3ÛÆ‡¾ €¿ÂÛtƒÃƒû@rì¾bé Æ‡¾€Æ‡Â.Ç# ¸C †Ä²€¾ÍrÛ
äu×3Û3ÉŠ‡¾< t<€t¾”ëXA‹ëƒÃƒû@rä¾Ÿ €ùuC¾s‹ÅÁè Dÿ×f‹†Æf.£'.Ç# |´B²€¾Í¾‹r
äu¾„ÿ×¾ª>þ}Uªuéùt¿Fÿ×´ ÍÍ¸ Í¸ ¸ŽÀ3ÿ¸ ¹P ó«±¾V¿D ¬«âü´· º Í´†¹ º€„ÍÃ¬< t ´» ÍëòÃÃwww.dell.comCannot restore
Loading PBR 1... done
failed
Bad flag
0 active
Bad PBR
ð†æ Þþ?? Éõ € þÿÿö Ùºe ÁÿÛþÿÿá°gÞŒ” Uª

essexboy · « **Reply #35 on:** July 27, 2011, 07:07:58 PM »

Quote

ëòÃÃwww.dell.comCannot restore

OK you have a dell mbr so that is good

I am not quite sure why CF keeps finding the TDL4 as all other indications are that the MBR is clean

Could you delete your current copy of combofix, download and run a fresh one to see if it still reports it

ss10000 · « **Reply #36 on:** July 29, 2011, 02:15:13 AM »

Thank you Essexboy. I will download another ComboFix to check. But how do you read that 2nd run log? AswMBR also found "non-standard or infected MBR".

essexboy · « **Reply #37 on:** July 29, 2011, 07:06:49 PM »

I actually took it from the MBR text dell.comCannot restore this means you have a non-standard Dell MBR so it will be reported as unknown

ss10000 · « **Reply #38 on:** July 29, 2011, 08:09:22 PM »

what does that dell thing mean?

Here is the 1st part of ComboFix log. The difference I have this time is that ComboFix runs in normal mode. It used to require safe mode.

ComboFix 11-07-29.01 - Tim 07/29/2011 12:48:24.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.525 [GMT -5:00]
Running from: c:\downloads\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-29 )))))))))))))))))))))))))))))))
.
.
2011-07-02 16:03 . 2011-07-02 16:03   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-29 13:36 . 2011-06-18 03:14   21064   ----a-w-   c:\windows\system32\drivers\hitmanpro35.sys
2011-06-02 17:53 . 2011-06-02 17:53   94208   ----a-w-   c:\windows\system32\dpl100.dll
2011-06-02 14:02 . 2005-08-16 10:18   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-05-29 14:11 . 2011-06-04 04:19   39984   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2011-06-04 04:19   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-08-16 10:40   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2001-12-03 23:09 . 2011-01-04 22:17   90112   ----a-w-   c:\program files\internet explorer\plugins\DjVuControl.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-22_19.36.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-14 07:08 . 2011-04-26 11:07   33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2010-12-09 14:30   33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2005-08-16 10:18 . 2011-04-26 11:07   33280 c:\windows\system32\csrsrv.dll
- 2005-08-16 10:18 . 2010-12-09 14:30   33280 c:\windows\system32\csrsrv.dll
+ 2006-01-10 05:50 . 2011-07-23 19:03   6162 c:\windows\system32\KGyGaAvL.sys
- 2006-01-10 05:50 . 2011-06-17 02:59   6162 c:\windows\system32\KGyGaAvL.sys
+ 2005-08-16 10:18 . 2011-04-26 11:07   293376 c:\windows\system32\winsrv.dll
- 2005-08-16 10:18 . 2010-06-18 17:45   293376 c:\windows\system32\winsrv.dll
+ 2005-08-16 10:18 . 2011-04-29 17:25   151552 c:\windows\system32\schannel.dll
+ 2011-07-02 16:03 . 2011-07-02 16:03   243360 c:\windows\system32\Macromed\Flash\FlashUtil10u_Plugin.exe
- 2005-08-16 10:27 . 2011-04-13 18:19   337848 c:\windows\system32\FNTCACHE.DAT
+ 2005-08-16 10:27 . 2011-07-13 14:40   337848 c:\windows\system32\FNTCACHE.DAT
+ 2010-06-18 17:45 . 2011-04-26 11:07   293376 c:\windows\system32\dllcache\winsrv.dll
- 2010-06-18 17:45 . 2010-06-18 17:45   293376 c:\windows\system32\dllcache\winsrv.dll
+ 2008-12-05 06:54 . 2011-04-29 17:25   151552 c:\windows\system32\dllcache\schannel.dll
+ 2010-01-27 01:07 . 2011-07-02 16:03   6271648 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-16 13:17 . 2011-06-02 14:02   1858944 c:\windows\system32\dllcache\win32k.sys
+ 2006-01-05 19:36 . 2011-07-13 14:21   49089992 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

ss10000 · « **Reply #39 on:** July 29, 2011, 08:10:11 PM »

Here is the second part of log.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-07-15 6619456]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-08-18 340520]
.
c:\documents and settings\Tim\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
2006-05-02 22:48 14848 ----a-w- c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NCUpdateSvc"=2 (0x2)
"a2free"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"=
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472]
S3 cpuz134;cpuz134;\??\c:\docume~1\Tim\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Tim\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?]
S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?]
S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
Trusted Zone: construction.com
Trusted Zone: constructionvaults.com
Trusted Zone: isqft.com\www
Trusted Zone: lrplot.com
DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://gootee.constructionvaults.com/PDMSubTheme/FileDownload/FileDownloader2.cab
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\
FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-InstallShield_{64A77F14-0E08-4A97-A859-E93CFF428756} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{CC0E9D50-FA41-4514-B986-A9B2167B1F2D} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1604)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2011-07-29 13:01:53
ComboFix-quarantined-files.txt 2011-07-29 18:01
.
Pre-Run: 7,011,217,408 bytes free
Post-Run: 7,065,014,272 bytes free
.
- - End Of File - - 11EA58D2C99CF5B3A574CBF2E65D9E5F

essexboy · « **Reply #40 on:** July 29, 2011, 09:10:45 PM »

Do you have a Dell computer ?

ss10000 · « **Reply #41 on:** July 30, 2011, 07:15:25 PM »

essexboy · « **Reply #42 on:** July 30, 2011, 07:19:19 PM »

That part enables the Dell recovery partition , alter the MBR and you will not be able to easilly access it

ss10000 · « **Reply #43 on:** July 31, 2011, 03:06:51 AM »

When you say "that part", what are you referring to?

Thanks.

ss10000

DavidR · « **Reply #44 on:** July 31, 2011, 03:56:30 AM »

I believe essexboy is referring to the unknown MBR in the MBRCheck log (Reply #33 and #34 above):
\\.\PhysicalDrive0 Unknown MBR code

Since the Dell needs to be able to access its recovery partition/recovery console the actual MBR is a custom MBR 'e.g. unknown' rather than it being recognised as a Default Windows XP MBR code.

Author Topic: TDL 4. Is it there or a misread by ComboFix? (Read 23882 times)

ss10000

Re: TDL 4. Is it there or a misread by ComboFix?

essexboy

Re: TDL 4. Is it there or a misread by ComboFix?

ss10000

Re: TDL 4. Is it there or a misread by ComboFix?

ss10000

Re: TDL 4. Is it there or a misread by ComboFix?

ss10000

Re: TDL 4. Is it there or a misread by ComboFix?

essexboy

Re: TDL 4. Is it there or a misread by ComboFix?

ss10000

Re: TDL 4. Is it there or a misread by ComboFix?

essexboy

Re: TDL 4. Is it there or a misread by ComboFix?

ss10000

Re: TDL 4. Is it there or a misread by ComboFix?

ss10000

Re: TDL 4. Is it there or a misread by ComboFix?

essexboy

Re: TDL 4. Is it there or a misread by ComboFix?

ss10000

Re: TDL 4. Is it there or a misread by ComboFix?

essexboy

Re: TDL 4. Is it there or a misread by ComboFix?

ss10000

Re: TDL 4. Is it there or a misread by ComboFix?

DavidR

Re: TDL 4. Is it there or a misread by ComboFix?