1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Redirect virus and Just In Time Debugging problem

Discussion in 'Malware and Virus Removal Archive' started by ourloop, 2010/11/23.

Thread Status:
Not open for further replies.
  1. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    I try http://www.filedropper.com several times and I even went as far as signing up and it still doesn't upload.

    If it's okay with you, I'll upload to my server and you can download all files from there or at least read them.

    Will that be okay with you?
     
  2. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That's fine.
     

  3. to hide this advert.

  4. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
  5. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    That upload doesn't work either and since I ran ComboFix, I cannot connect to my servers via FTP.

    What now?
     
  6. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    PM sent
     
  7. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    Thanks - let me know.
     
  8. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    Anything?
     
  9. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    Whatever ComboFix did, it totally killed my ability to connect to my servers via my FTP applications. I believe that is why those other file upload sites you sent me to would not work for me.

    This is something that I must have. My business functions depend heavily on FTP.
     
  10. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I can't even comment without seeing Combofix log, but I don't have anything in my email.
     
  11. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    I'm going to try again and finish posting here the ComboFix log.
     
  12. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    ComboFix 10-11-24.04 - HP_Owner 11/25/2010 10:09:01.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1136 [GMT -6:00]
    Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
    AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
    .
    PEV Error: AppFolder

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\HP_Owner\Application Data\Google\T-Scan
    c:\documents and settings\HP_Owner\Application Data\Google\T-Scan\n.gif
    c:\documents and settings\HP_Owner\Application Data\Google\T-Scan\t.gif
    c:\documents and settings\HP_Owner\Application Data\Google\T-Scan\y.gif
    c:\documents and settings\HP_Owner\Application Data\Microsoft\Office15
    c:\documents and settings\HP_Owner\Application Data\Microsoft\Office15\actions
    c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
    c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul
    c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
    c:\temp\DIV55
    c:\temp\DIV55\xDb.log
    c:\windows\a3kebook.ini
    c:\windows\akebook.ini
    c:\windows\ANS2000.INI
    c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
    c:\windows\Downloaded Program Files\ODCTOOLS
    c:\windows\system32\C
    c:\windows\system32\dmlconf.dat
    c:\windows\system32\gotomon.log
    c:\windows\system32\IN
    c:\windows\system32\ki3
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    c:\windows\TEMP\28.tmp
    c:\windows\TEMP\47.tmp
    c:\windows\TEMP\48.tmp
    c:\windows\TEMP\73.tmp
    c:\windows\TEMP\79.tmp
    c:\windows\TEMP\7F.tmp
    c:\windows\TEMP\8A.tmp
    c:\windows\TEMP\B1.tmp
    c:\windows\TEMP\B6.tmp
    c:\windows\TEMP\BB.tmp
    c:\windows\TEMP\C0.tmp
    c:\windows\TEMP\C6.tmp
    c:\windows\TEMP\CB.tmp
    c:\windows\TEMP\D0.tmp
    c:\windows\TEMP\E2.tmp
    c:\windows\TEMP\E7.tmp
    D:\Autorun.inf
     
  13. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_USNJSVC
    -------\Service_usnjsvc


    ((((((((((((((((((((((((( Files Created from 2010-10-25 to 2010-11-25 )))))))))))))))))))))))))))))))
    .

    2010-11-23 14:02 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-11-23 14:02 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-11-23 14:02 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-11-23 14:02 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-11-23 14:02 . 2010-11-23 14:03 -------- d-----w- c:\program files\Trojan Remover
    2010-11-23 14:02 . 2010-11-23 14:02 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Simply Super Software
    2010-11-23 14:02 . 2010-11-23 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
    2010-11-22 23:45 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-22 23:45 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-22 23:14 . 2010-11-22 23:14 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-11-22 13:24 . 2010-11-22 13:24 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
    2010-11-22 13:23 . 2010-11-22 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-22 13:23 . 2010-11-22 23:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-23 19:18 . 2004-08-04 12:00 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
    2010-08-27 21:48 . 2004-08-07 21:29 4124 ----a-w- c:\windows\viassary-hp.reg
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype "= "c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
    "OurPictures "= "c:\program files\RitzPix E-Z Print & Share\OurPictures.exe" [2006-06-19 4796416]
    "MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "HPHUPD06 "= "c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
    "HPHmon06 "= "c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
    "KBD "= "c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
    "Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
    "SiS Windows KeyHook "= "c:\windows\system32\keyhook.exe" [2004-05-20 249856]
    "AGRSMMSG "= "AGRSMMSG.exe" [2005-03-04 88209]
    "AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 57344]
    "SkyTel "= "SkyTel.EXE" [2006-05-16 2879488]
    "RTHDCPL "= "RTHDCPL.EXE" [2006-11-14 16270848]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
    "LifeCam "= "c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 269104]
    "VX1000 "= "c:\windows\vVX1000.exe" [2006-06-29 707376]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
    "BJCFD "= "c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "TrojanScanner "= "c:\program files\Trojan Remover\Trjscan.exe" [2010-08-02 1167808]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-7-31 118784]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HoTMetaL Personal Server.lnk]
    backup=c:\windows\pss\HoTMetaL Personal Server.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
    backup=c:\windows\pss\Updates from HP.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^easyGen Updater.lnk]
    backup=c:\windows\pss\easyGen Updater.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
    backup=c:\windows\pss\PowerReg SchedulerV2.exeStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzineExpress

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
    2004-08-04 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
    2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2007-03-14 08:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2004-08-07 21:03 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg]
    1997-06-20 15:27 20480 ----a-w- c:\progra~1\ULEADS~1.0\USSSHREG.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\WS_FTP Pro\\ftp95pro.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/1/2009 6:05 AM 206256]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [4/1/2009 6:09 AM 51488]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [4/1/2009 6:09 AM 39200]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/25/2008 5:59 AM 348752]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [4/1/2009 6:09 AM 33056]
    S4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [4/1/2009 6:05 AM 159600]
    S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [4/1/2009 6:05 AM 64392]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2004-12-29 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-08 23:26]
    .
    .
     
  14. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I assume, more is coming?
     
  15. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--fiqz9s ", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--fiqs8s ", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--j6w193g ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4a87g ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbqly7c0a67fbc ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbqly7cvafr ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--kpry57d ", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--kprw13d ", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .
     
  16. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{421E24AC-F448-41F7-B5A7-B939FD837C83} - (no file)
    HKLM-Run-VTTimer - VTTimer.exe
    Notify-AtiExtEvent - (no file)
    SafeBoot-klmdb.sys
    MSConfigStartUp-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe
    AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE
    AddRemove-NVIDIA GART Driver - c:\windows\system32\nvugart.exe
    AddRemove-WeatherBug - c:\progra~1\AWS\WEATHE~1\REMOVE.EXE
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
     
  17. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-25 10:32
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2000BB-22GUA0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-1b

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A97B446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a981504]; MOV EAX, [0x8a981580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A991AB8]
    3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000075[0x8AA179E8]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AA18030]
    \Driver\atapi[0x8A9BA3E0] -> IRP_MJ_CREATE -> 0x8A97B446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-1b -> \??\IDE#DiskWDC_WD2000BB-22GUA0_____________________08.02D08#4457572d4143384c313132343036_039_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A97B292
    user != kernel MBR !!!
    sectors 390721966 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
     
  18. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker4 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
     
  19. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(700)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(760)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(2804)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\WS_FTP Pro\nsftpch.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft LifeCam\MSCamSvc.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\AGRSMMSG.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-25 10:45:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-25 16:45

    Pre-Run: 106,248,945,664 bytes free
    Post-Run: 106,637,086,720 bytes free

    - - End Of File - - 59C67296E3AB2674ECA7615A31317952
     
  20. 2010/11/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good :)

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  21. 2010/11/25
    ourloop

    ourloop Inactive Thread Starter

    Joined:
    2010/11/23
    Messages:
    52
    Likes Received:
    0
    I already have TDSSKiller on my desktop. Should I get a newer version?
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.