Other > Viruses and worms

TDL 4. Is it there or a misread by ComboFix?

<< < (8/11) > >>

essexboy: --- Quote ---ëòÃÃwww.dell.comCannot restore --- End quote --- OK you have a dell mbr so that is good I am not quite sure why CF keeps finding the TDL4 as all other indications are that the MBR is clean Could you delete your current copy of combofix, download and run a fresh one to see if it still reports it

ss10000: Thank you Essexboy. I will download another ComboFix to check. But how do you read that 2nd run log? AswMBR also found "non-standard or infected MBR".

essexboy: I actually took it from the MBR text dell.comCannot restore this means you have a non-standard Dell MBR so it will be reported as unknown

ss10000: what does that dell thing mean? Here is the 1st part of ComboFix log. The difference I have this time is that ComboFix runs in normal mode. It used to require safe mode. ComboFix 11-07-29.01 - Tim 07/29/2011  12:48:24.7.1 - x86 Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.525 [GMT -5:00] Running from: c:\downloads\ComboFix.exe AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Sygate Personal Firewall *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}  * Created a new restore point . . (((((((((((((((((((((((((   Files Created from 2011-06-28 to 2011-07-29  ))))))))))))))))))))))))))))))) . . 2011-07-02 16:03 . 2011-07-02 16:03   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl . . . ((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-07-29 13:36 . 2011-06-18 03:14   21064   ----a-w-   c:\windows\system32\drivers\hitmanpro35.sys 2011-06-02 17:53 . 2011-06-02 17:53   94208   ----a-w-   c:\windows\system32\dpl100.dll 2011-06-02 14:02 . 2005-08-16 10:18   1858944   ----a-w-   c:\windows\system32\win32k.sys 2011-05-29 14:11 . 2011-06-04 04:19   39984   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-29 14:11 . 2011-06-04 04:19   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys 2011-05-02 15:31 . 2005-08-16 10:40   692736   ----a-w-   c:\windows\system32\inetcomm.dll 2001-12-03 23:09 . 2011-01-04 22:17   90112   ----a-w-   c:\program files\internet explorer\plugins\DjVuControl.dll . . (((((((((((((((((((((((((((((   SnapShot@2011-06-22_19.36.13   ))))))))))))))))))))))))))))))))))))))))) . + 2009-12-14 07:08 . 2011-04-26 11:07   33280              c:\windows\system32\dllcache\csrsrv.dll - 2009-12-14 07:08 . 2010-12-09 14:30   33280              c:\windows\system32\dllcache\csrsrv.dll + 2005-08-16 10:18 . 2011-04-26 11:07   33280              c:\windows\system32\csrsrv.dll - 2005-08-16 10:18 . 2010-12-09 14:30   33280              c:\windows\system32\csrsrv.dll + 2006-01-10 05:50 . 2011-07-23 19:03   6162              c:\windows\system32\KGyGaAvL.sys - 2006-01-10 05:50 . 2011-06-17 02:59   6162              c:\windows\system32\KGyGaAvL.sys + 2005-08-16 10:18 . 2011-04-26 11:07   293376              c:\windows\system32\winsrv.dll - 2005-08-16 10:18 . 2010-06-18 17:45   293376              c:\windows\system32\winsrv.dll + 2005-08-16 10:18 . 2011-04-29 17:25   151552              c:\windows\system32\schannel.dll + 2011-07-02 16:03 . 2011-07-02 16:03   243360              c:\windows\system32\Macromed\Flash\FlashUtil10u_Plugin.exe - 2005-08-16 10:27 . 2011-04-13 18:19   337848              c:\windows\system32\FNTCACHE.DAT + 2005-08-16 10:27 . 2011-07-13 14:40   337848              c:\windows\system32\FNTCACHE.DAT + 2010-06-18 17:45 . 2011-04-26 11:07   293376              c:\windows\system32\dllcache\winsrv.dll - 2010-06-18 17:45 . 2010-06-18 17:45   293376              c:\windows\system32\dllcache\winsrv.dll + 2008-12-05 06:54 . 2011-04-29 17:25   151552              c:\windows\system32\dllcache\schannel.dll + 2010-01-27 01:07 . 2011-07-02 16:03   6271648              c:\windows\system32\Macromed\Flash\NPSWF32.dll + 2008-10-16 13:17 . 2011-06-02 14:02   1858944              c:\windows\system32\dllcache\win32k.sys + 2006-01-05 19:36 . 2011-07-13 14:21   49089992              c:\windows\system32\MRT.exe . (((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4

ss10000: Here is the second part of log. [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdloader"="c:\documents and settings\Tim\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-07-15 6619456] "avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2010-08-18 340520] . c:\documents and settings\Tim\Start Menu\Programs\Startup\ SpywareGuard.lnk - c:\pc calm\SpywareGuard\sgmain.exe [2003-8-29 360448] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-09-07 22:08   110592   ----a-w-   c:\program files\Intel\Wireless\Bin\LgNotify.dll . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled backup=c:\windows\pss\QuickBooks Update Agent.lnk.disabledCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey] 2006-05-02 22:48   14848   ----a-w-   c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "NCUpdateSvc"=2 (0x2) "a2free"=2 (0x2) "mnmsrvc"=3 (0x3) "Fax"=2 (0x2) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\spybot sd\Spybot - Search & Destroy\TeaTimer.exe . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup "MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe"  -osboot . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Documents and Settings\\Tim\\Application Data\\mjusbsp\\magicJack.exe"= . R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 36880] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 8:39 PM 19472] S3 cpuz134;cpuz134;\??\c:\docume~1\Tim\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Tim\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?] S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\EndTask\EndTask Pro\NtProcDrv.sys --> c:\program files\EndTask\EndTask Pro\NtProcDrv.sys [?] S4 a2free;a-squared Free Service;"c:\a-squared free\a2service.exe" --> c:\a-squared free\a2service.exe [?] S4 BOCore;BOCore;c:\comodo\CBOClean\BOCORE.exe --> c:\comodo\CBOClean\BOCORE.exe [?] . Contents of the 'Scheduled Tasks' folder . 2011-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en Trusted Zone: construction.com Trusted Zone: constructionvaults.com Trusted Zone: isqft.com\www Trusted Zone: lrplot.com DPF: {AAB58191-AFBE-4366-93FD-1E45F7C97FA0} - hxxp://gootee.constructionvaults.com/PDMSubTheme/FileDownload/FileDownloader2.cab FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\fpr3qg2b.default\ FF - prefs.js: browser.startup.homepage - hxxp://geo.craigslist.org/iso/us/la FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service . . ------- File Associations ------- . .scr=DWGTrueViewScriptFile . - - - - ORPHANS REMOVED - - - - . AddRemove-InstallShield_{64A77F14-0E08-4A97-A859-E93CFF428756} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe AddRemove-InstallShield_{CC0E9D50-FA41-4514-B986-A9B2167B1F2D} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe . . . ************************************************************************** . disk not found C:\ . please note that you need administrator rights to perform deep scan scanning hidden processes ...  . scanning hidden autostart entries ... . scanning hidden files ...  . scan completed successfully hidden files: . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant] "ImagePath"="" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-4071516949-2795189375-2035086808-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1604) c:\windows\system32\Ati2evxx.dll c:\program files\Intel\Wireless\Bin\LgNotify.dll . Completion time: 2011-07-29  13:01:53 ComboFix-quarantined-files.txt  2011-07-29 18:01 . Pre-Run: 7,011,217,408 bytes free Post-Run: 7,065,014,272 bytes free . - - End Of File - - 11EA58D2C99CF5B3A574CBF2E65D9E5F

Navigation

 Message Index

Next page

Previous page

Go to full version