cyfyr
2011-03-27, 21:30
PROBLEM
DDS.txt shows "possible TDL3 rootkit infection" after investigating Click.Giftload threat
RECENT HISTORY
Recently installed Mozilla Firefox to see how version 4 compared against IE6
Unfortunately did not get the AVG verdict icons working so was not fully protected when browsing
Suspect this may be the cause of the infection
Last Spybot scan NOT showing Click.Giftload
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
Checks.110326-1411.log
26.03.2011 14:11:50 - ##### check started #####
26.03.2011 14:11:50 - ### Version: 1.6.2
26.03.2011 14:11:50 - ### Date: 26/03/2011 14:11:50
26.03.2011 14:11:52 - ##### checking bots #####
26.03.2011 14:25:57 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
26.03.2011 14:25:59 - ##### check finished #####
First spybot scan showing Click.GiftLoad
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
Checks.110327-0428.log
27.03.2011 04:28:13 - ##### check started #####
27.03.2011 04:28:13 - ### Version: 1.6.2
27.03.2011 04:28:13 - ### Date: 27/03/2011 04:28:13
27.03.2011 04:28:15 - ##### checking bots #####
27.03.2011 04:28:57 - found: Click.GiftLoad User settings
27.03.2011 04:41:04 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
27.03.2011 04:41:04 - ##### check finished #####
Right Media Tracking cookie appears on the PC every now and again
I have not noticed it causing any problems and Spybot is able to remove it
Spybot was also able to remove Click.Giftload
However noticed strange IE6 activity this morning ...
Clicking on google search results often directs back to google search
Clicking on google search results sometimes directs to an unexpected web page
Browser occassionally launches a new session onto an unwanted web page (links can be supplied if required)
Firefox does not launch at all
Re-booted PC and ran Spybot scan and found Click.Giftload present again
Used Spybot to remove (and also purge) this threat
Re-ran scan later and no threats detected
Searched for Click.Giftload on your forum (and elsewhere online)
Used Zone Alarm to Stop All Internet Activity between changing web pages (though none actually observed)
Downloaded ERUNT and backed up registry
Ran DDS and found the root kit warning at the bottom the log
Unwanted browser activity continued
Ran Spybot scan and again no threats detected
This suggests that Click.Giftload itself may not be problem - just one of the problems related activities ?
Re-started PC - took several minutes longer to shut down than normal
Re-ran Spybot scan and Click.Giftload again detected
This suggests Click.Giftload is being installed during shut down or IPL - I assume by the root kit ?
Re-started PC again
Ran DDS and created DDS.txt and Attach.txt prior to removing Click.Giftload again
Start of DDS.txt (with name commented to Xxxxxx Xxxxx) --------------------------
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Xxxxxx Xxxxx at 16:51:17.60 on 27/03/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2393 [GMT 1:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Documents and Settings\Xxxxxx Xxxxx\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///C:/HTML/index.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\n7khba69.default\
FF - prefs.js: browser.startup.homepage - c:\\html\\index.htm
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-3-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-3-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-3-16 243024]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-7-27 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-7-27 394952]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-3-16 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-3-16 308136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2010-7-25 2034560]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-6-25 1390976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2010-6-24 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-26 00:08:14 -------- d-----w- c:\program files\DependencyWalker
2011-03-24 23:53:37 -------- d-----w- c:\docume~1\robert~1\applic~1\GetRightToGo
2011-03-20 23:09:02 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-20 23:09:02 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-20 23:09:02 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-20 23:09:02 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-20 23:09:02 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-20 23:09:02 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-20 20:54:57 98304 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll
2011-03-20 20:54:57 89048 ----a-w- c:\program files\mozilla firefox\nssutil3.dll
2011-03-20 20:54:57 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-20 20:54:57 715736 ----a-w- c:\program files\mozilla firefox\mozcrt19.dll
2011-03-20 20:54:57 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-20 20:54:57 14121944 ----a-w- c:\program files\mozilla firefox\xul.dll
2011-03-20 20:54:57 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2011-03-20 08:34:43 -------- d--h--w- C:\$AVG
2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-19 22:39:24 -------- d-----w- c:\program files\System Tracker
2011-03-19 22:06:54 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1.dll
2011-03-19 22:03:33 -------- d-----w- C:\T3
2011-03-19 21:38:20 65593 ----a-w- c:\program files\outlook express\csapi3t1.dll
2011-03-19 21:37:02 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1_net.dll
2011-03-19 21:34:56 -------- d-----w- C:\T2
2011-03-19 19:55:42 6317328 ----a-w- c:\program files\common files\microsoft shared\proof\1036\MSGR3FR.DLL
2011-03-19 19:55:42 1100560 ----a-w- c:\program files\common files\microsoft shared\proof\3082\MSGR3ES.DLL
2011-03-19 19:55:41 854152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3ES.DLL
2011-03-19 19:55:41 633664 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3FR.DLL
2011-03-19 19:55:41 49152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTHES3.DLL
2011-03-19 19:55:41 3152704 ----a-w- c:\program files\common files\microsoft shared\proof\1033\MSGR3EN.DLL
2011-03-19 19:55:40 61512 ----a-w- c:\program files\common files\microsoft shared\proof\MSHYPH2.DLL
2011-03-19 19:55:40 576320 ----a-w- c:\program files\common files\microsoft shared\proof\MSLID.DLL
2011-03-19 19:55:40 551232 ----a-w- c:\program files\common files\microsoft shared\proof\MSSP3FR.DLL
2011-03-19 19:55:39 919696 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3ES.DLL
2011-03-19 19:55:39 408336 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3FR.DLL
2011-03-19 11:49:28 -------- d-----w- C:\T1
2011-03-16 20:13:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-03-16 20:13:41 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 20:13:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-03-16 20:13:33 -------- d-----w- c:\windows\system32\drivers\Avg
2011-03-16 19:46:03 -------- d-----w- c:\docume~1\robert~1\applic~1\AVG10
2011-03-16 18:15:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-16 17:48:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-16 17:19:20 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-15 00:00:24 -------- d-----w- c:\docume~1\robert~1\applic~1\TaskCoach
2011-03-15 00:00:15 -------- d-----w- c:\program files\TaskCoach
2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\locals~1\applic~1\Apprise
2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\applic~1\Apprise
2011-03-06 15:36:52 -------- d-----w- c:\program files\Toggl Desktop
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKS-00UU3A0 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T1L0-10
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4AE439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4b47d0]; MOV EAX, [0x8a4b484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A4D9AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000062[0x8A4E59E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A4E3940]
\Driver\atapi[0x8A5542B8] -> IRP_MJ_CREATE -> 0x8A4AE439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP3T1L0-10 -> \??\IDE#DiskWDC_WD5000AAKS-00UU3A0__________________01.03B01#5&511fad&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4AE27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:52:12.62 ===============
End of DDS.txt ------------------------------------------------------------------
The PC has not been used for ebay or internet banking for a couple of weeks and since the problem has only been around for a day there has been no opportunuity for any account information or passwords to have been captured during use.
However please can you advise whether there is any action I can take to remove the threat.
My objective is to get the PC as clean as possible - even if it requires a full drive reformat and windows re-install.
Having backed up all data last weekend I am in a good position to do this though would prefer not to if there is a better way.
THANKS in anticipation.
DDS.txt shows "possible TDL3 rootkit infection" after investigating Click.Giftload threat
RECENT HISTORY
Recently installed Mozilla Firefox to see how version 4 compared against IE6
Unfortunately did not get the AVG verdict icons working so was not fully protected when browsing
Suspect this may be the cause of the infection
Last Spybot scan NOT showing Click.Giftload
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
Checks.110326-1411.log
26.03.2011 14:11:50 - ##### check started #####
26.03.2011 14:11:50 - ### Version: 1.6.2
26.03.2011 14:11:50 - ### Date: 26/03/2011 14:11:50
26.03.2011 14:11:52 - ##### checking bots #####
26.03.2011 14:25:57 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
26.03.2011 14:25:59 - ##### check finished #####
First spybot scan showing Click.GiftLoad
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
Checks.110327-0428.log
27.03.2011 04:28:13 - ##### check started #####
27.03.2011 04:28:13 - ### Version: 1.6.2
27.03.2011 04:28:13 - ### Date: 27/03/2011 04:28:13
27.03.2011 04:28:15 - ##### checking bots #####
27.03.2011 04:28:57 - found: Click.GiftLoad User settings
27.03.2011 04:41:04 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
27.03.2011 04:41:04 - ##### check finished #####
Right Media Tracking cookie appears on the PC every now and again
I have not noticed it causing any problems and Spybot is able to remove it
Spybot was also able to remove Click.Giftload
However noticed strange IE6 activity this morning ...
Clicking on google search results often directs back to google search
Clicking on google search results sometimes directs to an unexpected web page
Browser occassionally launches a new session onto an unwanted web page (links can be supplied if required)
Firefox does not launch at all
Re-booted PC and ran Spybot scan and found Click.Giftload present again
Used Spybot to remove (and also purge) this threat
Re-ran scan later and no threats detected
Searched for Click.Giftload on your forum (and elsewhere online)
Used Zone Alarm to Stop All Internet Activity between changing web pages (though none actually observed)
Downloaded ERUNT and backed up registry
Ran DDS and found the root kit warning at the bottom the log
Unwanted browser activity continued
Ran Spybot scan and again no threats detected
This suggests that Click.Giftload itself may not be problem - just one of the problems related activities ?
Re-started PC - took several minutes longer to shut down than normal
Re-ran Spybot scan and Click.Giftload again detected
This suggests Click.Giftload is being installed during shut down or IPL - I assume by the root kit ?
Re-started PC again
Ran DDS and created DDS.txt and Attach.txt prior to removing Click.Giftload again
Start of DDS.txt (with name commented to Xxxxxx Xxxxx) --------------------------
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Xxxxxx Xxxxx at 16:51:17.60 on 27/03/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2393 [GMT 1:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Documents and Settings\Xxxxxx Xxxxx\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///C:/HTML/index.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\n7khba69.default\
FF - prefs.js: browser.startup.homepage - c:\\html\\index.htm
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-3-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-3-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-3-16 243024]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-7-27 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-7-27 394952]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-3-16 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-3-16 308136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2010-7-25 2034560]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-6-25 1390976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2010-6-24 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-26 00:08:14 -------- d-----w- c:\program files\DependencyWalker
2011-03-24 23:53:37 -------- d-----w- c:\docume~1\robert~1\applic~1\GetRightToGo
2011-03-20 23:09:02 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-20 23:09:02 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-20 23:09:02 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-20 23:09:02 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-20 23:09:02 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-20 23:09:02 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-20 20:54:57 98304 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll
2011-03-20 20:54:57 89048 ----a-w- c:\program files\mozilla firefox\nssutil3.dll
2011-03-20 20:54:57 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-20 20:54:57 715736 ----a-w- c:\program files\mozilla firefox\mozcrt19.dll
2011-03-20 20:54:57 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-20 20:54:57 14121944 ----a-w- c:\program files\mozilla firefox\xul.dll
2011-03-20 20:54:57 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2011-03-20 08:34:43 -------- d--h--w- C:\$AVG
2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-19 22:39:24 -------- d-----w- c:\program files\System Tracker
2011-03-19 22:06:54 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1.dll
2011-03-19 22:03:33 -------- d-----w- C:\T3
2011-03-19 21:38:20 65593 ----a-w- c:\program files\outlook express\csapi3t1.dll
2011-03-19 21:37:02 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1_net.dll
2011-03-19 21:34:56 -------- d-----w- C:\T2
2011-03-19 19:55:42 6317328 ----a-w- c:\program files\common files\microsoft shared\proof\1036\MSGR3FR.DLL
2011-03-19 19:55:42 1100560 ----a-w- c:\program files\common files\microsoft shared\proof\3082\MSGR3ES.DLL
2011-03-19 19:55:41 854152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3ES.DLL
2011-03-19 19:55:41 633664 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3FR.DLL
2011-03-19 19:55:41 49152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTHES3.DLL
2011-03-19 19:55:41 3152704 ----a-w- c:\program files\common files\microsoft shared\proof\1033\MSGR3EN.DLL
2011-03-19 19:55:40 61512 ----a-w- c:\program files\common files\microsoft shared\proof\MSHYPH2.DLL
2011-03-19 19:55:40 576320 ----a-w- c:\program files\common files\microsoft shared\proof\MSLID.DLL
2011-03-19 19:55:40 551232 ----a-w- c:\program files\common files\microsoft shared\proof\MSSP3FR.DLL
2011-03-19 19:55:39 919696 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3ES.DLL
2011-03-19 19:55:39 408336 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3FR.DLL
2011-03-19 11:49:28 -------- d-----w- C:\T1
2011-03-16 20:13:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-03-16 20:13:41 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 20:13:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-03-16 20:13:33 -------- d-----w- c:\windows\system32\drivers\Avg
2011-03-16 19:46:03 -------- d-----w- c:\docume~1\robert~1\applic~1\AVG10
2011-03-16 18:15:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-16 17:48:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-16 17:19:20 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-15 00:00:24 -------- d-----w- c:\docume~1\robert~1\applic~1\TaskCoach
2011-03-15 00:00:15 -------- d-----w- c:\program files\TaskCoach
2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\locals~1\applic~1\Apprise
2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\applic~1\Apprise
2011-03-06 15:36:52 -------- d-----w- c:\program files\Toggl Desktop
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKS-00UU3A0 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T1L0-10
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4AE439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4b47d0]; MOV EAX, [0x8a4b484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A4D9AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000062[0x8A4E59E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A4E3940]
\Driver\atapi[0x8A5542B8] -> IRP_MJ_CREATE -> 0x8A4AE439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP3T1L0-10 -> \??\IDE#DiskWDC_WD5000AAKS-00UU3A0__________________01.03B01#5&511fad&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4AE27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:52:12.62 ===============
End of DDS.txt ------------------------------------------------------------------
The PC has not been used for ebay or internet banking for a couple of weeks and since the problem has only been around for a day there has been no opportunuity for any account information or passwords to have been captured during use.
However please can you advise whether there is any action I can take to remove the threat.
My objective is to get the PC as clean as possible - even if it requires a full drive reformat and windows re-install.
Having backed up all data last weekend I am in a good position to do this though would prefer not to if there is a better way.
THANKS in anticipation.