TDSS Rootkit

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

TDSS Rootkit

Post by DJ Englewood on Sun 25 Jul 2010, 2:19 pm

i have TDSSROOtkit



what do i do here is the cheetah report


Cheetah-Anti-Rogue v1.5.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 07/24/2010 - Time: 22:08:33 - Arch.: x86


-- Malware removal tools check --
CCleaner
Malwarebytes' Anti-Malware


-- Known infection --

Warning: detected presence of TDSS Rootkit!


Extra message: Detection only.


EOF

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Sun 25 Jul 2010, 2:37 pm

Hi, welcome to GeekPolice.net!

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Sun 25 Jul 2010, 3:39 pm

okay

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Sun 25 Jul 2010, 6:59 pm


DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Sun 25 Jul 2010, 7:14 pm



i installed it then i restarted the computer i got this message and it was gone

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Mon 26 Jul 2010, 3:19 am

Hi,

Are you saving it to the desktop and re-naming it to commy.exe?


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Mon 26 Jul 2010, 3:29 am

Sneakyone wrote:Hi,

Are you saving it to the desktop and re-naming it to commy.exe?


yes and i had to restart my computer and when i did it was gone and when i tried to reinstall it i got the message i posted above


DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Mon 26 Jul 2010, 3:34 am

Hi,

To disable CD Emulation programs using DeFogger please perform these steps:
  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.


=========

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Mon 26 Jul 2010, 3:37 am

ok starting now

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Mon 26 Jul 2010, 3:54 am

i have avast and i dont know how to disable it

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Mon 26 Jul 2010, 5:10 am

hey during gmer.exe my computer restarted

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Mon 26 Jul 2010, 5:39 am

it keeps restarting my computer what can this mean?

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Mon 26 Jul 2010, 5:47 am

Hi,

Could you please go into safe mode with networking, by restarting your computer and keep tapping F8 until is asks you which mode you want to choose, then choose safe mode with networking and download and run ComboFix.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Mon 26 Jul 2010, 8:30 am

ComboFix 10-07-24.03 - Joe 07/25/2010 14:46:32.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.765 [GMT -5:00]
Running from: c:\documents and settings\Joe\My Documents\commy.exe
AV: avast! Internet Security *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: avast! Internet Security *enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joe\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Joe\Application Data\Google\T-Scan
c:\documents and settings\Joe\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Joe\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Joe\Application Data\Google\T-Scan\y.gif
c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{3998DB3E-0DAF-4255-A3CE-433E07453DCB}\setup.msi
c:\program files\screensavers.com
c:\program files\screensavers.com\Wallpaper\Lowrider Euro - Topless.jpg
c:\windows\java.exe
c:\windows\MailSwitch.ocx
c:\windows\patch.exe
c:\windows\tempf.txt

.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-22 01:33 . 2010-07-22 03:47 -------- d-----w- c:\documents and settings\Joe\Application Data\FixCleaner
2010-07-18 20:49 . 2010-07-18 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-12 22:43 . 2010-07-12 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 19:44 . 2010-07-09 22:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-22 01:35 . 2010-07-22 01:23 -------- d-----w- c:\program files\FixCleaner
2010-07-18 20:49 . 2010-07-18 20:49 -------- d-----w- c:\program files\Alwil Software
2010-07-16 06:28 . 2006-05-13 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-14 16:08 . 2006-05-13 19:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-13 23:43 . 2010-02-08 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-12 18:31 . 2010-07-12 18:31 -------- d-----w- c:\program files\ThreatFire
2010-07-12 18:31 . 2010-02-09 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-28 20:57 . 2010-07-18 20:52 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-07-18 20:52 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:39 . 2010-07-18 21:02 99280 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-06-28 20:39 . 2010-07-18 21:02 312912 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-06-28 20:38 . 2010-07-18 20:59 188168 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-06-28 20:37 . 2010-07-18 20:59 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-07-18 21:02 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-07-18 20:59 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-07-18 20:59 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-07-18 20:59 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-07-18 21:02 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-07-18 20:59 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-28 20:10 . 2010-07-18 20:53 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2010-06-25 21:45 . 2008-05-30 03:31 256 ----a-w- c:\windows\system32\pool.bin
2010-06-25 21:45 . 2003-03-06 05:40 36648 -c--a-w- c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 21:45 . 2008-04-23 02:02 -------- d-----w- c:\documents and settings\Joe\Application Data\Research In Motion
2010-06-24 02:14 . 2010-06-24 02:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2010-06-24 02:14 . 2010-06-24 02:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-06-24 02:10 . 2010-06-24 02:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2010-06-24 01:43 . 2010-06-24 01:35 -------- d-----w- c:\program files\Zune
2010-06-24 01:40 . 2010-06-24 01:40 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-06-24 01:40 . 2010-06-24 01:40 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-09 18:36 . 2010-06-09 18:36 -------- d-----w- c:\documents and settings\Joe\Application Data\InstallShield
2010-06-09 18:34 . 2008-05-30 03:07 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-06-09 18:28 . 2010-06-09 18:23 -------- d-----w- c:\program files\Roxio
2010-06-09 18:24 . 2008-05-30 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-06-09 18:23 . 2010-06-09 18:23 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-06-09 17:53 . 2009-11-12 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-06-09 17:53 . 2008-05-30 02:51 -------- d-----w- c:\program files\Research In Motion
2010-06-09 17:39 . 2008-04-23 02:01 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-05-04 17:20 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2001-08-18 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2001-08-18 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2003-01-03 14:10 . 2003-01-03 14:10 23357 -c-ha-w- c:\program files\folder.htt
2001-08-18 12:00 . 2001-08-18 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2001-08-18 12:00 50688 --sh--w- c:\windows\twain_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-06-28 20:59 153184 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"FixCleaner"="c:\program files\FixCleaner\FixCleaner.exe" [2010-06-09 47002968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]
"QveCtl2Tray"="c:\program files\Philips\PSA2\skin\QveCplSk.EXE" [2002-08-17 901120]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"EPSON Stylus Photo R200 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"EPSON Stylus Photo R200 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"IPInSightMonitor 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"IPInSightLAN 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-5 108544]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\NovaLogic\\Delta Force 2\\Update.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 PortlUSB;PortlUSB; [x]
R3 zsi_fmw;Stiletto Firmware Recovery;c:\windows\system32\Drivers\zsi_fmw.sys [2007-07-16 34176]
R3 zsi_zap;Stiletto ZAP Recovery Driver;c:\windows\system32\Drivers\zsi_zap.sys [2007-07-16 16896]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2010-06-28 12112]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-07-03 64160]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-01-14 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-01-14 59664]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [2010-06-28 119200]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 1029456]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
S3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [2002-08-27 365460]
S3 QsndEnum;QSound Virtual Audio Devices Bus Enumerator;c:\windows\system32\DRIVERS\QsndEnum.sys [2002-07-18 9600]
S3 QSoftAud;Philips Sound Agent 2 (WDM);c:\windows\system32\drivers\QSoftAud.sys [2002-08-21 562560]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-01-14 33552]

.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2010-07-25 c:\windows\Tasks\FixCleaner Scan.job
- c:\program files\FixCleaner\FixCleaner.exe [2010-06-09 12:10]

2010-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-06 18:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-06 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = wmplayer.exe
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\0yr0b6od.default\
FF - component: c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\0yr0b6od.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\0yr0b6od.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{b23fc8df-1197-495f-b4e7-b6922bbe66bd} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
SafeBoot-mferkdk
SafeBoot-mferkdk.sys
SafeBoot-Wdf01000.sys
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-25 15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1767777339-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'lsass.exe'(1064)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\WININET.dll
c:\program files\ThreatFire\TfWah.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\pctspk.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\System32\wbem\unsecapp.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\ThreatFire\TFService.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2010-07-25 16:17:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 21:15

Pre-Run: 3,589,636,096 bytes free
Post-Run: 2,939,857,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - FF2A1EB76B477D9B8DCED271FE24D722

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Mon 26 Jul 2010, 9:48 am

Hi,

Download MBRCheck to your desktop.
  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Mon 26 Jul 2010, 12:11 pm

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\E: --> \\.\PhysicalDrive1



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!

149 GB \\.\PhysicalDrive1 Error reading raw MBR!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.



Enter your choice:

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Mon 26 Jul 2010, 4:14 pm

Hi,

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: [You must be registered and logged in to see this link.]
  • After extracting remover.exe to your Desktop, please do this:

    Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
    Code:
    @ECHO OFF
    START remover.exe fix \\.\PhysicalDrive0
    remover.exe fix \\.\PhysicalDrive1
    EXIT
    Save this as fix.bat Choose to "Save type as - All Files"
    It should look like this:
    Double click on fix.bat & allow it to run

  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL C
  • Open a Notepad and press CTRL V
  • Post the output back here.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Tue 27 Jul 2010, 3:56 am

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:



where do i find this??


after i extracted remover.exe there are 4 things there and none say NOTEPAD.exe




DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Tue 27 Jul 2010, 6:33 am

Hi.

Notepad.exe as in windows not bootkit remover, just go to Run and type Notepad and hit enter, then notepad will open.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Tue 27 Jul 2010, 10:39 am

i got

windows cannot find remover.exe

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Tue 27 Jul 2010, 11:03 am

Did you extract Remover.exe to your desktop?


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Tue 27 Jul 2010, 11:34 am

Sneakyone wrote:Did you extract Remover.exe to your desktop?

yes was i supposed to save fix.bat to the desktop?

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Tue 27 Jul 2010, 2:08 pm

Yes.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by DJ Englewood on Wed 28 Jul 2010, 4:22 am

okay when i ran it it restarted the computer

DJ Englewood

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2010-02-09
Operating System : xp

View user profile

Back to top Go down

Re: TDSS Rootkit

Post by Sneakyone on Wed 28 Jul 2010, 6:23 am

Hi.

Could you please run remover.exe, but don't run the batch file and copy what it says here.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: TDSS Rootkit

Post by Sponsored content Today at 7:54 am


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum