Results 1 to 2 of 2

Thread: possible TDL3 rootkit infection

  1. 2010-12-27, 09:12 #1
    rabizzle
    rabizzle is offline
    Junior Member
    Join Date
    Dec 2010
    Posts
    5

    Default possible TDL3 rootkit infection

    Hi I really need help! I have been really struggling to get rid of a possible trojan or something of that ilk! Since yesterday when I use firefox or IE tabs keep opening by themselves going to random websites including ebay or google or other websites that are really obscure. I have ran Malwarebyte's Anti-Malware and it comes up with detecting a trojan horse and then it deletes it and asks me to reinstall but it is still there! Can anyone please help me? Thanks!

    DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
    Run by User at 8:07:10.35 on 27/12/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.597 [GMT 0:00]

    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Documents and Settings\User\My Documents\Downloads\dds(2).scr

    ============== Pseudo HJT Report ===============

    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [TdlRazor] c:\docume~1\user\locals~1\temp\_zctmp.dir\tdl3 razor\tdlrazor.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [00THotkey] c:\windows\system32\00THotkey.exe
    mRun: [000StTHK] 000StTHK.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [DpUtil] c:\program files\toshiba\dualpointutility\TEDTray.exe
    mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
    mRun: [TFNF5] TFNF5.exe
    mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
    mRun: [TPSODDCtl] TPSODDCtl.exe
    mRun: [TPSMain] TPSMain.exe
    mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
    mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
    mRun: [TOSDCR] TOSDCR.EXE
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
    mRun: [TFncKy] TFncKy.exe
    mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
    mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
    mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
    mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [CFSServ.exe] CFSServ.exe -NoClient
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    uPolicies-explorer: RestrictRun = 0 (0x0)
    mPolicies-explorer: RestrictRun = 0 (0x0)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217846430062
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: psfus - psqlpwd.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Notification Packages = scecli psqlpwd

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\2vwg638n.default\
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-26 64288]
    R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]
    R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-9-28 35968]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-9-28 5888]
    S2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-9 3229728]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
    S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568]
    S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024]
    S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\user\locals~1\temp\_zctmp.dir\tdl3 razor\tizerbruteforceex.sys --> c:\docume~1\user\locals~1\temp\_zctmp.dir\tdl3 razor\TizerBruteForceEx.sys [?]
    S2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456]
    S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
    S2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-9-28 114688]
    S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-9-28 435072]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-9-28 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2010-12-26 21:39:57 96512 ----a-w- c:\windows\system32\drivers\x001.sys
    2010-12-26 21:31:08 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-12-26 21:30:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-12-26 21:30:08 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-12-26 16:22:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-12-26 15:05:56 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-12-26 15:05:45 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-12-26 15:01:24 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Sunbelt Software
    2010-12-26 15:00:28 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
    2010-12-26 14:59:13 -------- d-----w- c:\program files\Lavasoft
    2010-12-26 12:07:30 -------- d-----w- C:\VundoFix Backups
    2010-12-26 11:57:02 -------- d-----w- c:\documents and settings\user\Tracing
    2010-12-26 11:55:11 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
    2010-12-26 11:53:41 -------- d-----w- c:\program files\Microsoft
    2010-12-26 11:53:02 -------- d-----w- c:\program files\Windows Live SkyDrive
    2010-12-26 11:42:33 -------- d-----w- c:\program files\common files\Windows Live
    2010-12-26 09:17:26 -------- d-----w- c:\program files\UPHClean
    2010-12-26 09:09:42 -------- d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
    2010-12-26 09:09:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-12-26 09:09:28 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-12-26 09:06:11 -------- d-----w- c:\program files\SpywareBlaster
    2010-12-26 09:00:23 -------- d-----w- c:\program files\Lunarsoft
    2010-12-26 09:00:23 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Lunarsoft
    2010-12-25 19:22:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-25 19:22:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-12-25 19:03:25 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2010-12-25 19:03:24 -------- d-----w- c:\program files\Trend Micro
    2010-12-25 18:56:19 -------- d-----w- c:\program files\CCleaner
    2010-12-25 17:45:50 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
    2010-12-25 17:45:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-25 17:45:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-12-25 17:45:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-25 17:45:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-25 14:42:27 -------- d-----w- c:\docume~1\user\locals~1\applic~1\PCHealth
    2010-12-25 13:58:42 -------- d--h--w- C:\$AVG
    2010-12-25 13:12:06 -------- d-----w- c:\docume~1\user\applic~1\AVG10
    2010-12-25 13:11:13 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2010-12-25 13:08:15 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-25 13:08:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2010-12-25 13:07:30 -------- d-----w- c:\program files\AVG
    2010-12-25 12:18:46 -------- d-----w- c:\docume~1\user\applic~1\Windows Search
    2010-12-25 11:57:11 -------- d-----w- c:\docume~1\user\applic~1\WinBatch
    2010-12-25 11:55:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-12-25 10:58:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
    2010-12-23 10:55:39 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Temp
    2010-12-22 21:19:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
    2010-12-22 21:19:44 -------- d-----w- c:\program files\McAfee Security Scan
    2010-12-22 21:04:55 3592192 ----a-w- c:\windows\system32\stacgui.cpl
    2010-12-22 21:04:55 1052672 ----a-w- c:\windows\system32\stlang.dll
    2010-12-22 21:04:48 112128 ----a-w- c:\windows\system32\staco.dll
    2010-12-22 21:04:46 1106888 ----a-w- c:\windows\system32\drivers\sthda.sys
    2010-12-22 21:04:44 200704 ----a-w- c:\windows\system32\stacapi.dll
    2010-12-22 21:04:43 -------- d-----w- c:\program files\SigmaTel
    2010-12-22 14:26:31 -------- d-----w- c:\windows\system32\winrm
    2010-12-22 14:26:27 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
    2010-12-22 14:24:54 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Identities
    2010-12-22 14:24:49 -------- d-----w- c:\docume~1\user\applic~1\Windows Desktop Search
    2010-12-22 14:24:22 -------- d-----w- c:\program files\Windows Desktop Search
    2010-12-22 14:24:21 -------- d--h--w- c:\windows\system32\GroupPolicy
    2010-12-22 14:23:14 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
    2010-12-22 14:23:14 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
    2010-12-22 14:23:14 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
    2010-12-22 14:22:59 -------- d-----w- c:\program files\IDT
    2010-12-22 13:11:19 -------- d-----w- c:\windows\system32\XPSViewer
    2010-12-22 13:10:38 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2010-12-22 13:10:24 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-12-22 13:10:24 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-12-22 13:10:24 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2010-12-22 13:10:24 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-12-22 13:10:24 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-12-22 13:10:24 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-12-22 13:10:24 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-12-22 13:10:24 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-12-22 13:10:22 -------- d-----w- C:\f2edf5aa1db513bc7a562d
    2010-12-22 11:04:56 -------- d-----w- c:\windows\pss
    2010-12-17 11:05:44 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-12-17 09:59:18 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-12-17 09:59:18 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-12-17 09:59:18 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2010-12-17 07:33:04 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-12-17 07:29:52 -------- d-sh--w- c:\documents and settings\user\IECompatCache
    2010-12-17 07:29:44 -------- d-sh--w- c:\documents and settings\user\PrivacIE
    2010-12-17 07:20:05 -------- d-sh--w- c:\documents and settings\user\IETldCache
    2010-12-17 06:45:13 -------- d-----w- c:\windows\ie8updates
    2010-12-17 06:40:57 -------- dc-h--w- c:\windows\ie8
    2010-12-17 06:37:52 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-12-17 06:37:24 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2010-12-17 06:37:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-12-17 06:37:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-12-17 06:37:22 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-12-17 06:37:22 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-12-17 06:37:21 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2010-12-17 06:37:19 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2010-12-16 14:34:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-12-16 14:31:44 -------- d-----w- c:\windows\system32\appmgmt
    2010-12-16 14:27:48 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-12-16 14:27:48 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
    2010-12-16 14:27:48 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-12-16 14:27:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-12-16 14:26:54 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-12-16 14:26:09 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-12-16 14:25:53 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 14:25:41 -------- d-----w- c:\docume~1\user\applic~1\Juniper Networks
    2010-12-16 14:25:29 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2010-12-16 14:25:29 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
    2010-12-16 14:25:17 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2010-12-16 14:23:23 293376 ------w- c:\windows\system32\browserchoice.exe
    2010-12-16 14:21:52 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-12-16 14:20:35 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 16:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_HTS542512K9SA00 rev.BB2OC33P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x86EC3555]<<
    c:\windows\system32\drivers\thpdrv.sys TOSHIBA Corporation TOSHIBA HDD Protection
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86ec97b0]; MOV EAX, [0x86ec982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F84AB8]
    3 CLASSPNP[0xF7577FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\THPDRV[0x86F67030]
    5 thpdrv[0xF77B19DB] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000008d[0x86F54910]
    7 ACPI[0xF74CE620] -> nt!IofCallDriver[0x804E13B9] -> [0x86F54D98]
    \Driver\atapi[0x86F70B60] -> IRP_MJ_CREATE -> 0x86EC3555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS542512K9SA00_________________BB2OC33P#38303330393042423230303042574144564c4144#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86EC339B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 8:08:36.46 ===============
    Last edited by tashi; 2010-12-27 at 16:06. Reason: Copy pasted log into topic for member who'd experienced difficulty posting it
  2. 2010-12-30, 16:30 #2
    shelf life
    shelf life is offline
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi rabizzle,

    Your post is a few days old. If you still need help post back. Based on the log you should not use this computer. Make sure it has no Internet connectivity, if your not sure then power it off.
    Last edited by tashi; 2011-01-09 at 04:41. Reason: Date of archive
    How Can I Reduce My Risk?
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules