| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 111879 | 2010-08-15 10:13:00 | TDL3 rootkit removal | apsattv (7406) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1128014 | 2010-08-19 11:43:00 | yes i know it show both eset and prevx on (prevx was actually uninstalled, has been fully removed now using their uninstall tool) ComboFix 10-08-17 . 04 - macky 08/19/2010 17:21:48 . 1 . 1 - x86 Microsoft Windows XP Professional 5 . 1 . 2600 . 2 . 1252 . 1 . 1033 . 18 . 510 . 303 [GMT -7:00] Running from: c:\documents and settings\macky\Desktop\ComboFix . exe AV: ESET NOD32 Antivirus 4 . 0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} AV: Prevx 3 . 0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901} * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\scvideo . dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_GOOGLEUPDATEBETA -------\Service_GoogleUpdateBeta ((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 ))))))))))))))))))))))))))))))) . 2010-08-19 04:19 . 2010-08-19 04:19 -------- d-----w- c:\documents and settings\macky\Application Data\com . adobe . mauby . 4875E02D9FB21EE389F73B8D1702B 320485DF8CE . 1 2010-08-19 04:04 . 2010-08-19 04:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2010-08-18 17:36 . 2010-08-18 17:36 -------- d-sh--w- c:\documents and settings\macky\IECompatCache 2010-08-15 08:42 . 2010-08-15 08:42 -------- d-----w- c:\documents and settings\macky\DoctorWeb 2010-08-15 08:19 . 2010-07-27 05:30 705208 ----a-w- c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x . default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff . dll 2010-08-15 08:19 . 2010-07-27 05:30 978664 ----a-w- c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x . default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan . dll 2010-08-15 07:29 . 2010-03-16 10:12 96512 ----a-w- c:\windows\system32\drivers\x001 . sys 2010-08-15 06:49 . 2010-08-15 06:58 -------- d-----w- c:\documents and settings\macky\Application Data\QuickScan 2010-08-15 06:33 . 2010-08-15 06:33 30320 ----a-w- c:\windows\system32\drivers\pxscan . sys 2010-08-15 06:33 . 2010-08-15 06:33 69736 ----a-w- c:\windows\system32\drivers\pxrts . sys 2010-08-15 05:40 . 2010-08-15 05:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-08-15 05:28 . 2010-08-15 05:30 715152 ----a-w- c:\documents and settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\trunins . exe 2010-08-15 05:02 . 2010-08-15 07:56 -------- d-----w- c:\program files\Trojan Remover 2010-08-15 05:02 . 2010-08-15 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software 2010-08-15 04:25 . 2010-08-15 04:25 0 ----a-w- c:\documents and settings\macky\settings . dat 2010-08-15 04:19 . 2010-08-15 04:41 -------- d-----w- c:\program files\Prevx 2010-08-15 04:19 . 2010-08-15 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI 2010-08-15 03:29 . 2010-08-15 03:29 12872 ----a-w- c:\windows\system32\bootdelete . exe 2010-08-15 03:19 . 2010-08-15 09:53 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35 . sys 2010-08-15 03:19 . 2010-08-15 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-08-15 03:19 . 2010-08-15 03:19 -------- d-----w- c:\program files\Hitman Pro 3 . 5 2010-08-13 07:16 . 2010-08-13 07:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-08-13 07:08 . 2010-08-13 07:08 -------- d-sh--w- c:\documents and settings\macky\PrivacIE 2010-08-13 07:06 . 2010-08-13 07:06 -------- d-sh--w- c:\documents and settings\macky\IETldCache 2010-08-13 06:49 . 2009-01-08 01:21 26144 ----a-w- c:\windows\system32\spupdsvc . exe 2010-08-13 06:46 . 2010-08-13 06:52 -------- dc-h--w- c:\windows\ie8 2010-08-13 06:40 . 2010-08-13 06:40 388096 ----a-r- c:\documents and settings\macky\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis . exe 2010-08-13 05:40 . 2010-08-13 05:40 -------- d-----w- c:\documents and settings\macky\Application Data\Malwarebytes 2010-08-13 05:40 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy . sys 2010-08-13 05:40 . 2010-08-13 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-08-13 05:40 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam . sys 2010-08-13 05:40 . 2010-08-13 06:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-12 22:38 . 2010-08-12 22:38 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2010-08-09 04:34 . 2010-08-09 04:34 -------- d-----w- c:\windows\system32\CatRoot_bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2010-08-20 00:07 . 2010-05-16 02:10 -------- d-----w- c:\documents and settings\macky\Application Data\TeamViewer 2010-08-18 20:21 . 2010-05-22 00:35 -------- d-----w- c:\program files\MyFreeCams 2010-08-05 02:24 . 2009-10-23 20:26 -------- d-----w- c:\program files\Mozilla Firefox 3 . 1 Beta 2 2010-06-23 04:37 . 2010-06-23 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SweetIM 2010-06-23 04:36 . 2010-06-23 04:36 -------- d-----w- c:\program files\SweetIM . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper . dll" [2010-05-17 138552] [HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}] [HKEY_CLASSES_ROOT\SweetIM_URLSearchHook . ToolbarURL SearchHook . 1] [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SweetIM_URLSearchHook . ToolbarURL SearchHook] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}] 2010-05-17 23:55 1444664 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE . dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE . dll" [2010-05-17 1444664] [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}] [HKEY_CLASSES_ROOT\SWEETIE . IEToolbar . 1] [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SWEETIE . IEToolbar] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE . dll" [2010-05-17 1444664] [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}] [HKEY_CLASSES_ROOT\SWEETIE . IEToolbar . 1] [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}] [HKEY_CLASSES_ROOT\SWEETIE . IEToolbar] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon . exe"="c:\windows\system32\ctfmon . exe" [2004-08-03 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray . exe" [2005-06-21 155648] "HotKeysCmds"="c:\windows\system32\hkcmd . exe" [2005-06-21 126976] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui . exe" [2009-11-16 2054360] "GUCI_AVS"="c:\windows\PixArt\PAP7501\GUCI_AVS . exe" [2007-12-10 323584] "PACTray"="c:\windows\PixArt\PAP7501\PACTray . exe" [2008-11-14 319488] "SweetIM"="c:\program files\SweetIM\Messenger\SweetIM . exe" [2010-06-07 111928] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Update ESET's license . lnk - c:\program files\ESET\MiNODLogin\MiNODLogin . exe [2010-7-1 125952] [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr . exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger . exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz . exe"= "c:\\Documents and Settings\\macky\\temp\\TeamViewer\\Version4\\TeamV iewer . exe"= "c:\\Documents and Settings\\macky\\Local Settings\\Temp\\TeamViewer\\Version5\\TeamViewer . e xe"= R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan . s ys [8/14/2010 11:33 PM 30320] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv . sys [11/16/2009 9:03 AM 108792] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfw tdir . sys [11/16/2009 9:06 AM 96408] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn . exe [11/16/2009 9:04 AM 735960] R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts . sys [8/14/2010 11:33 PM 69736] S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\macky\Desktop\TDL3 Razor\TizerBruteForceEx . sys --> c:\documents and settings\macky\Desktop\TDL3 Razor\TizerBruteForceEx . sys [?] S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv . sys [12/18/2009 10:58 AM 11336] S3 GUCI_AVS;USB2 . 0 VGA Video Device;c:\windows\system32\drivers\GUCI_AVS . sys [5/20/2010 5:59 PM 579200] . Contents of the 'Scheduled Tasks' folder 2010-08-19 c:\windows\Tasks\User_Feed_Synchronization-{F6B8C286-EAA8-4D0F-9FDB-D7ED1ADB95E0} . job - c:\windows\system32\msfeedssync . exe [2009-03-08 11:31] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL . EXE/3000 FF - ProfilePath - c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x . default\ FF - prefs . js: browser . search . defaulturl - hxxp://search . sweetim . com/search . asp?src=2&q= FF - prefs . js: browser . search . selectedEngine - Google FF - prefs . js: browser . startup . homepage - hxxp://home . sweetim . com FF - prefs . js: keyword . URL - hxxp://search . sweetim . com/search . asp?src=2&q= FF - component: c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x . default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff . dll FF - plugin: c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x . default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan . dll FF - plugin: c:\documents and settings\macky\Local Settings\Application Data\Yahoo!\BrowserPlus\2 . 8 . 1\Plugins\npybrowserpl us_2 . 8 . 1 . dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("ui . use_native_colors", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . IDN . whitelist . lu", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . IDN . whitelist . nu", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . IDN . whitelist . nz", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . IDN . whitelist . xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . IDN . whitelist . xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . IDN . whitelist . xn--p1ai", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . IDN . whitelist . xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . IDN . whitelist . tel", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . auth . force-generic-ntlm", false); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . proxy . type", 5); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . buffer . cache . count", 24); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("network . buffer . cache . size", 4096); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("dom . ipc . plugins . timeoutSecs", 45); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("svg . smil . enabled", false); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\all . js - pref("accelerometer . enabled", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\security-prefs . js - pref("security . ssl . allow_unrestricted_renego_everywhere_ _temporarily_available_pref", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\security-prefs . js - pref("security . ssl . renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\security-prefs . js - pref("security . ssl . treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox 3 . 1 Beta 2\greprefs\security-prefs . js - pref("security . ssl . require_safe_negotiation", false); c:\program files\Mozilla Firefox 3 . 1 Beta 2\defaults\pref\firefox . js - pref("extensions . {972ce4c6-7e08-4474-a285-3208198ce6fd} . name", "chrome://browser/locale/browser . properties"); c:\program files\Mozilla Firefox 3 . 1 Beta 2\defaults\pref\firefox . js - pref("extensions . {972ce4c6-7e08-4474-a285-3208198ce6fd} . description", "chrome://browser/locale/browser . properties"); c:\program files\Mozilla Firefox 3 . 1 Beta 2\defaults\pref\firefox . js - pref("plugins . update . notifyUser", false); c:\program files\Mozilla Firefox 3 . 1 Beta 2\defaults\pref\firefox . js - pref("dom . ipc . plugins . enabled . nptest . dll", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\defaults\pref\firefox . js - pref("dom . ipc . plugins . enabled . npswf32 . dll", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\defaults\pref\firefox . js - pref("dom . ipc . plugins . enabled . npctrl . dll", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\defaults\pref\firefox . js - pref("dom . ipc . plugins . enabled . npqtplugin . dll", true); c:\program files\Mozilla Firefox 3 . 1 Beta 2\defaults\pref\firefox . js - pref("dom . ipc . plugins . enabled", false); . ************************************************** ************************ catchme 0 . 3 . 1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2010-08-19 17:33 Windows 5 . 1 . 2600 Service Pack 2 NTFS scanning hidden processes . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ************************ Stealth MBR rootkit/Mebroot/Sinowal detector 0 . 3 . 7 by Gmer, http://www . gmer . net device: opened successfully user: MBR read successfully called modules: ntoskrnl . exe CLASSPNP . SYS disk . sys ACPI . sys hal . dll >>UNKNOWN [0x82091ACE]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP . SYS @ 0xf857cfc3 \Driver\ACPI -> ACPI . sys @ 0xf84efcb8 \Driver\atapi -> x001 . sys @ 0xf8481852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl . exe @ 0x805a1afe ParseProcedure -> ntoskrnl . exe @ 0x80570a6e \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl . exe @ 0x805a1afe ParseProcedure -> ntoskrnl . exe @ 0x80570a6e NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS . sys @ 0xf838fbc3 PacketIndicateHandler -> NDIS . sys @ 0xf839bb21 SendHandler -> NDIS . sys @ 0xf838fd33 user & kernel MBR OK ************************************************** ************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a tapi] "ImagePath"=multi:"system32\drivers\x001 . sys\00system32\drivers\iaSto r . " [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a tapi] "ImagePath"=multi:"system32\drivers\x001 . sys\00system32\drivers\iaSto r . " . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil 10h_ActiveX . exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil1 0h_ActiveX . exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1 . 0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer . exe'(3616) c:\windows\system32\msi . dll c:\windows\system32\ieframe . dll c:\windows\system32\webcheck . dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs . exe c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1 . EXE . ************************************************** ************************ . Completion time: 2010-08-19 17:43:31 - machine was rebooted ComboFix-quarantined-files . txt 2010-08-20 00:43 Pre-Run: 26,057,293,824 bytes free Post-Run: 26,320,887,808 bytes free - - End Of File - - B073D1853AEA35DD7464B77EF2D3D3DC |
apsattv (7406) | ||
| 1 2 3 | |||||