WiredWX Hobby Weather ToolsLog in

 


TDSS Rootkit

2 posters

descriptionTDSS Rootkit EmptyTDSS Rootkit

more_horiz
i have TDSSROOtkit



what do i do here is the cheetah report


Cheetah-Anti-Rogue v1.5.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 07/24/2010 - Time: 22:08:33 - Arch.: x86


-- Malware removal tools check --
CCleaner
Malwarebytes' Anti-Malware


-- Known infection --

Warning: detected presence of TDSS Rootkit!


Extra message: Detection only.


EOF

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
Hi, welcome to GeekPolice.net! Smile...

Please download ComboFix TDSS Rootkit Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

TDSS Rootkit Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
TDSS Rootkit RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
okay

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
TDSS Rootkit 4826299160_53ed1d3049_b

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz


i installed it then i restarted the computer i got this message and it was gone

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
Hi, Smile...

Are you saving it to the desktop and re-naming it to commy.exe?

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
Sneakyone wrote:
Hi, Smile...

Are you saving it to the desktop and re-naming it to commy.exe?



yes and i had to restart my computer and when i did it was gone and when i tried to reinstall it i got the message i posted above

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
Hi, Smile...

To disable CD Emulation programs using DeFogger please perform these steps:
  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.


=========

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
ok starting now

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
i have avast and i dont know how to disable it

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
hey during gmer.exe my computer restarted

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
it keeps restarting my computer what can this mean?

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
Hi, Smile...

Could you please go into safe mode with networking, by restarting your computer and keep tapping F8 until is asks you which mode you want to choose, then choose safe mode with networking and download and run ComboFix.

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
ComboFix 10-07-24.03 - Joe 07/25/2010 14:46:32.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.765 [GMT -5:00]
Running from: c:\documents and settings\Joe\My Documents\commy.exe
AV: avast! Internet Security *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: avast! Internet Security *enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joe\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Joe\Application Data\Google\T-Scan
c:\documents and settings\Joe\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Joe\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Joe\Application Data\Google\T-Scan\y.gif
c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{3998DB3E-0DAF-4255-A3CE-433E07453DCB}\setup.msi
c:\program files\screensavers.com
c:\program files\screensavers.com\Wallpaper\Lowrider Euro - Topless.jpg
c:\windows\java.exe
c:\windows\MailSwitch.ocx
c:\windows\patch.exe
c:\windows\tempf.txt

.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-22 01:33 . 2010-07-22 03:47 -------- d-----w- c:\documents and settings\Joe\Application Data\FixCleaner
2010-07-18 20:49 . 2010-07-18 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-12 22:43 . 2010-07-12 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 19:44 . 2010-07-09 22:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-22 01:35 . 2010-07-22 01:23 -------- d-----w- c:\program files\FixCleaner
2010-07-18 20:49 . 2010-07-18 20:49 -------- d-----w- c:\program files\Alwil Software
2010-07-16 06:28 . 2006-05-13 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-14 16:08 . 2006-05-13 19:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-13 23:43 . 2010-02-08 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-12 18:31 . 2010-07-12 18:31 -------- d-----w- c:\program files\ThreatFire
2010-07-12 18:31 . 2010-02-09 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-28 20:57 . 2010-07-18 20:52 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-07-18 20:52 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:39 . 2010-07-18 21:02 99280 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-06-28 20:39 . 2010-07-18 21:02 312912 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-06-28 20:38 . 2010-07-18 20:59 188168 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-06-28 20:37 . 2010-07-18 20:59 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-07-18 21:02 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-07-18 20:59 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-07-18 20:59 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-07-18 20:59 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-07-18 21:02 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-07-18 20:59 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-28 20:10 . 2010-07-18 20:53 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2010-06-25 21:45 . 2008-05-30 03:31 256 ----a-w- c:\windows\system32\pool.bin
2010-06-25 21:45 . 2003-03-06 05:40 36648 -c--a-w- c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-25 21:45 . 2008-04-23 02:02 -------- d-----w- c:\documents and settings\Joe\Application Data\Research In Motion
2010-06-24 02:14 . 2010-06-24 02:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2010-06-24 02:14 . 2010-06-24 02:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-06-24 02:10 . 2010-06-24 02:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2010-06-24 01:43 . 2010-06-24 01:35 -------- d-----w- c:\program files\Zune
2010-06-24 01:40 . 2010-06-24 01:40 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2010-06-24 01:40 . 2010-06-24 01:40 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-09 18:36 . 2010-06-09 18:36 -------- d-----w- c:\documents and settings\Joe\Application Data\InstallShield
2010-06-09 18:34 . 2008-05-30 03:07 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-06-09 18:28 . 2010-06-09 18:23 -------- d-----w- c:\program files\Roxio
2010-06-09 18:24 . 2008-05-30 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-06-09 18:23 . 2010-06-09 18:23 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-06-09 17:53 . 2009-11-12 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-06-09 17:53 . 2008-05-30 02:51 -------- d-----w- c:\program files\Research In Motion
2010-06-09 17:39 . 2008-04-23 02:01 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-05-04 17:20 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2001-08-18 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2001-08-18 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2003-01-03 14:10 . 2003-01-03 14:10 23357 -c-ha-w- c:\program files\folder.htt
2001-08-18 12:00 . 2001-08-18 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2001-08-18 12:00 50688 --sh--w- c:\windows\twain_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-06-28 20:59 153184 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"FixCleaner"="c:\program files\FixCleaner\FixCleaner.exe" [2010-06-09 47002968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]
"QveCtl2Tray"="c:\program files\Philips\PSA2\skin\QveCplSk.EXE" [2002-08-17 901120]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"EPSON Stylus Photo R200 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"EPSON Stylus Photo R200 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"IPInSightMonitor 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"IPInSightLAN 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-5 108544]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\NovaLogic\\Delta Force 2\\Update.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 PortlUSB;PortlUSB; [x]
R3 zsi_fmw;Stiletto Firmware Recovery;c:\windows\system32\Drivers\zsi_fmw.sys [2007-07-16 34176]
R3 zsi_zap;Stiletto ZAP Recovery Driver;c:\windows\system32\Drivers\zsi_zap.sys [2007-07-16 16896]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2010-06-28 12112]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-07-03 64160]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-01-14 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-01-14 59664]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [2010-06-28 119200]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 1029456]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
S3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [2002-08-27 365460]
S3 QsndEnum;QSound Virtual Audio Devices Bus Enumerator;c:\windows\system32\DRIVERS\QsndEnum.sys [2002-07-18 9600]
S3 QSoftAud;Philips Sound Agent 2 (WDM);c:\windows\system32\drivers\QSoftAud.sys [2002-08-21 562560]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-01-14 33552]

.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2010-07-25 c:\windows\Tasks\FixCleaner Scan.job
- c:\program files\FixCleaner\FixCleaner.exe [2010-06-09 12:10]

2010-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-06 18:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-06 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = wmplayer.exe
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\0yr0b6od.default\
FF - component: c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\0yr0b6od.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\0yr0b6od.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{b23fc8df-1197-495f-b4e7-b6922bbe66bd} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
SafeBoot-mferkdk
SafeBoot-mferkdk.sys
SafeBoot-Wdf01000.sys
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1767777339-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'lsass.exe'(1064)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\WININET.dll
c:\program files\ThreatFire\TfWah.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\pctspk.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\System32\wbem\unsecapp.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\ThreatFire\TFService.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2010-07-25 16:17:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 21:15

Pre-Run: 3,589,636,096 bytes free
Post-Run: 2,939,857,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - FF2A1EB76B477D9B8DCED271FE24D722

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
Hi, Smile...

Download MBRCheck to your desktop.
  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.

descriptionTDSS Rootkit EmptyRe: TDSS Rootkit

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum