Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Another Click.Giftload reappearing, MBR infected?

  1. #1
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default Another Click.Giftload reappearing, MBR infected?

    Well, I got a drive-by while searching for Bluetooth drivers and, long story short, I suspect that I now have the TDSS rootkit on this computer's HD. As such, Windows is no longer permitted to connect to the network (without me monitoring traffic), and I have a SLAX CD going right now.

    I have tried removing this, however, to no avail. I have done:
    * MBAM scanning
    * SpyBot scanning (finds Click.Giftload)
    * ClamWin scanning
    * ClamAV scanning
    * Putting the HD into another XP box, and running Norton AV on it (found a few infected JARs in the Java cache for...LocalService?!
    * Combofix (no script file supplied) (MS Recovery console installed)
    * GMER scanning (no red text)
    * Rootkit Buster
    * SpyDLL Remover
    * Tarballing the SYS32/Drivers dir, extracting on a clean PC, diffing the directories, and uploading any non-identical files from this box to VirusTotal, which only got false positives
    * OTL
    * HiJack This
    * TDSSKiller

    For ComboFix, OTL, HJT, TDSSKiller, and GMER, I used random file names.
    TDSSKiller crashes at 80% of loading, which is why I suspect a MBR infection, from another thread here having the same problem.
    If Windows runs for long enough, I get messages about some DLLs that are loaded not being valid Microsoft images (I am therefor running SLAX for the time being)

    Additionally, I have the CrashOnCtrlScroll regkey in the registry, so, if need be, I can stop the kernel (and I have the system set up to do a full memory dump, just in case :) )

    *End of manual message, log following*

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Chris at 16:59:35.91 on Fri 04/29/2011
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.60 [GMT -8:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ClamWin\bin\ClamTray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Saitek\Software\SaiMfd.exe
    C:\Program Files\Saitek\Software\ProfilerU.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\trashVir\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uInternet Settings,ProxyServer = 127.0.0.1:80
    uInternet Settings,ProxyOverride = <local>
    BHO: AutorunsDisabled - No File
    BHO: JQSIEStartDetectorImpl - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz0.dll
    uRun: [Alcohol.bin Autorun] c:\program files\alcohol soft\alcohol 120\Alcohol.bin /startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [SaiMfd] c:\program files\saitek\software\SaiMfd.exe
    mRun: [Profiler] c:\program files\saitek\software\ProfilerU.exe
    StartupFolder: c:\documents and settings\chris\start menu\programs\startup\HousecallLauncher.exe
    StartupFolder: c:\docume~1\chris\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301092235348
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: {0D4A2D8C-656A-4DD5-952D-B00B7108E1DE} = 209.18.47.61,8.8.8.8,76.85.229.110
    TCP: {9F1F2845-F134-4581-9544-EDF6B8FCE59D} = 8.8.8.8
    TCP: {F3AFB128-E668-4305-8A2D-4EF371CB4C14} = 209.18.47.61,209.18.47.62,8.8.8.8
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\9az0l1dr.default\
    FF - plugin: c:\documents and settings\chris\application data\mozilla\firefox\profiles\9az0l1dr.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-7 20744]
    R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\chris\virtualcd\VCdRom.sys [2001-12-19 8576]
    R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2002-8-8 11330]
    R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2003-6-8 21922]
    S2 AsUsbDrvXP;AsUsbDrvXP;c:\windows\system32\drivers\asusbdrvxp.sys --> c:\windows\system32\drivers\AsUsbDrvXP.sys [?]
    S3 BTCOM;Bluetooth Serial port driver;c:\windows\system32\drivers\btcomport.sys --> c:\windows\system32\drivers\btcomport.sys [?]
    S3 BTCOMBUS;Bluetooth Serial Port Bus Service;c:\windows\system32\drivers\btcombus.sys --> c:\windows\system32\drivers\btcombus.sys [?]
    S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
    S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2010-9-1 29184]
    S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
    S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2010-11-14 272128]
    S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2010-8-28 176640]
    S4 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
    .
    =============== Created Last 30 ================
    .
    2011-04-29 16:34:04 -------- d-----w- C:\trashVir
    2011-04-19 04:17:26 -------- d-----w- c:\program files\Windows Imaging
    2011-04-19 04:05:45 -------- d-----w- c:\program files\Windows AIK
    2011-04-19 03:19:14 -------- d-----w- C:\SpybotBootCD
    2011-04-19 01:44:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-04-19 01:44:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-04-19 01:27:49 -------- d-----w- c:\docume~1\chris\applic~1\Safer Networking
    2011-04-19 01:24:36 -------- d-----w- c:\program files\Safer Networking
    2011-04-19 00:02:56 -------- d-----w- c:\docume~1\chris\applic~1\Abine
    2011-04-18 22:50:45 -------- d-sha-r- C:\cmdcons
    2011-04-18 20:41:14 47272 ----a-w- c:\windows\system32\drivers\btwusb.sys
    2011-04-18 20:41:14 106557 ----a-w- c:\windows\system32\btw_ci.dll
    2011-04-18 20:41:13 57384 ----a-w- c:\windows\system32\drivers\btwhid.sys
    2011-04-18 20:41:13 156816 ----a-w- c:\windows\system32\drivers\btwdndis.sys
    2011-04-18 20:41:12 991136 ----a-w- c:\windows\system32\drivers\btkrnl.sys
    2011-04-18 20:41:12 37160 ----a-w- c:\windows\system32\drivers\btport.sys
    2011-04-18 20:41:11 534312 ----a-w- c:\windows\system32\drivers\btaudio.sys
    2011-04-18 20:40:26 -------- d-----w- c:\program files\WIDCOMM
    2011-04-18 19:54:27 98816 ----a-w- c:\windows\sed.exe
    2011-04-18 19:54:27 89088 ----a-w- c:\windows\MBR.exe
    2011-04-18 19:54:27 256512 ----a-w- c:\windows\PEV.exe
    2011-04-18 19:54:27 161792 ----a-w- c:\windows\SWREG.exe
    2011-04-18 19:34:42 -------- d-----w- C:\found.000
    2011-04-17 21:33:48 91176 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
    2011-04-17 07:55:06 -------- d-----w- c:\program files\IVT Corporation
    2011-04-17 06:53:24 86016 ----a-w- c:\windows\unvise32.exe
    2011-04-17 06:51:44 -------- d-----w- c:\program files\Parallel Port Joystick
    2011-04-17 06:25:32 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
    2011-04-17 06:25:30 -------- d-----w- c:\program files\Nokia
    2011-04-17 06:25:17 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
    2011-04-17 06:24:28 -------- d-----w- c:\program files\PC Connectivity Solution
    2011-04-17 05:47:50 -------- d-----w- c:\documents and settings\chris\Bluetooth Software
    2011-04-17 05:44:53 237568 ----a-w- c:\windows\system32\BtwRSupport.dll
    2011-04-17 05:03:16 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2011-04-17 05:03:16 21504 ----a-w- c:\windows\system32\hidserv.dll
    2011-04-17 02:04:28 291600 ----a-w- c:\windows\system\WININET.DLL
    2011-04-17 02:04:27 -------- d-----w- C:\SIERRA
    2011-04-17 01:25:13 -------- d-----w- c:\docume~1\chris\applic~1\Windows Search
    2011-04-09 20:08:57 -------- d-----w- c:\documents and settings\chris\.dia
    2011-04-09 20:08:22 -------- d-----w- c:\program files\Dia
    .
    ==================== Find3M ====================
    .
    2011-03-26 04:23:01 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-03-26 04:23:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-03-26 04:22:47 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-02-03 05:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-03 03:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: HDT722516DLAT80 rev.V43OA96A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x832564F0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8325c7d0]; MOV EAX, [0x8325c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x83214AB8]
    3 CLASSPNP[0xF7547FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000090[0x832CDF18]
    5 ACPI[0xF7249620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8330EB58]
    \Driver\atapi[0x832FAC80] -> IRP_MJ_CREATE -> 0x832564F0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SI, 0x7c00; MOV DI, 0x7a00; MOV SS, AX; MOV SP, DI; MOV DS, AX; MOV ES, AX; MOV CX, 0x200; CLD ; REP MOVSB ; JMP FAR 0x0:0x7a1b; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8325633B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 17:02:27.67 ===============

  2. #2
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Cricket_Lover,

    Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
    • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


    We will first try to determine if this is a MBR infection. To do so, we will need to boot the machine with a tool that is similar to slax cd: OTLPE. For this procedure you will need a burning CD machine (this could be the infected machine) and an USB stick.

    Please do the following:


    Download OTLPEStd.exe to the burning CD machine's desktop
    Download Attachment 7548 and copy it on your USB memory.
    Download aswMBR and copy it on your USB memory.

    • Ensure that you have a blank CD in the drive
    • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
    • Reboot your system using the boot CD you just created.
      Note : If you do not know how to set your computer to boot from CD follow the steps here
    • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
    • Your system should now display a Reatogo desktop.
      Note : as you are running from CD it is not exactly speedy
    • Double-click on the OTLPE icon.
    • Select the Windows folder of the infected drive if it asks for a location
    • When asked "Do you wish to load the remote registry", select Yes
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Drag and drop this Scan.txt from USB memory into the Custom scans and fixes box
    • Press Run Scan to start the scan.
    • When finished, two files will be created C:\OTL.txt and C:\Physical0MBR.bin
    • IMPORTANT: Please rename Physical0MBR.bin into Physical0MBR.txt and attach it on your next reply
    • You can post the contents of C:\OTL.txt in your reply, don't attach it.
    • Remove the OTLPE CD from your drive and start Windows normally
    • Drag aswMBR.exe from your usb memory to your desktop and double click to run it.
      Vista and Windows 7 users right click the icon and choose "Run as administrator".
    • Click the Scan button to start scan.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.



    Click the image to enlarge it
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  3. #3
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    Thing is not booting, has been stuck at a black screen for 50min now...

    Keyboard seems locked up, resolution is at 720x400, 70Hz...any Linux-based procedure availible?

    Additional (interesting?) details you might want to know:
    * Computer is NOT a Dell
    * There is NO recovery partition
    * Apparently, to sync a WiiMote w/ a WIDCOMMv5 Bluetooth stack, you have to press Alt+S at the passcode screen to skip it. (Would have been nice to know this BEFORE I got the infection!)

    In the house, I have availible a clean WinXP-Professional box (I am at right now), and a VectorLinux 6.0 box down in my room (only Dell in the house, and only computer without a burner). The infected computer is WinXP-Home (latest service pack).

    Additionally, when this is all over, could you tell me the registry key which disables prompting to activate Automatic Updates? I do updating manually, as I know of a couple XP boxes that have become infected because of fake updates sent to it through Automatic Update.

  4. #4
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    I am sorry, but in the interest of progress, I have proceeded with logical steps, which I have listed below in the exact order I did them, aligned by process:
    * Power button held, doesn't look like the CD even loaded an OS
    * Booted up the MS Recovery Console
    ** Executed "FIXMBR"
    *** Warned that the MBR structure was unreconized, asked to continue
    *** Typed "y"
    ** EXIT
    * Booted up SLAX (note: never typed a semicolon)
    ** # cd /mnt/hda1
    ** # find | grep -i "/t[dl][dl]" | less -S
    *** Command returned three files; tdlen.nb is from Mathematica; two files called tlds.gif and tlds.js were in the FF "/extensions/optout@dubfire.net" directory tree
    ** # startx
    *** In Firefox, I downloaded TDSSKiller to the "Start Menu/Startup" directory
    ** # init 6
    * Booted Windows
    ** Logged in
    *** TDSSKiller starts initialisation
    *** Spybot House-something-or-other starts, I close it
    *** TDSSKiller finishes initialisation
    **** I run a scan
    * Shutdown

    The scan from TDSSKiller only returned one (locked) file "sptd.sys", attached in archive. It did not find an infection.

  5. #5
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    I have re-uploaded sptd.sys to VirosTotal and it's clean.


    Can you try to copy aswMBR.exe on the infected machine and run it with the instructions above?
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  6. #6
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    I have run the scan that you requested, as well as running a number of other scans (the OS was behaving nicely at the time ) But I did NOT save the scanner to the desktop; it went into the startup dir.

    Attached are all of the results:

    DDS.txt - Standard forum scan
    Attach.txt - Standard forum scan
    MBR.dat - File created from your scan. Notice that I had yesterday rewritten the MBR
    aswMBR.txt - Log of your scan. See above note
    TDSSKiller.txt - TDSSKiller scan results for today, filename reduced
    hijackthis.log - Hijack This log (ping.exe)
    OTL.Txt - OTL Viewer scan, all users (DinoScan.exe) (It's OLDtimer, right?)

    Not attached:
    Extras.txt - Never was created, only Extras.txt in the directory was last modified last year


    And I do NOT want to use my FD in the computer while running XPHome right now; FD sees numerous computers on a daily basis (including Win7, but 64-bit), and the Autorun calcellation that I have to do when it gets infected from a subset of computers at my school (from a virus I nicknamed after one of the teachers, from the first infection I found) is annoying to say the least. But SLAX gives me access to all non-encrypted files on the NTFS, as well as Firefox and NT Offline Password Changer and Registry Editor, so it's better than a FD in this case.

    NOTE: I think you guys should write out a procedure for handling the TDL3 and sticky it to aid in all the infections that are being made by it.

  7. #7
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Cricket_Lover,


    Please delete your current version of Combofix, and do the following:


    Visit the following and have a look how you can disable your security software.

    How to disable your security programs

    After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

    Link 1
    Link 2

    --------------------------------------------------------------------

    • Double click on Combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  8. #8
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    Here is the output

  9. #9
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Good morning,

    Do you recognize the following IP addresses?

    209.18.47.61
    76.85.229.110
    209.18.47.62
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  10. #10
    Junior Member
    Join Date
    Apr 2011
    Posts
    24

    Default

    209.18.47.61
    209.18.47.62
    ^^^ Current DNS server addresses assigned by RoadRunner

    76.85.229.110
    ^^^ Old DNS server address (from the older version of my internet connection)

    Both DNS servers are known safe.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •