PDA

View Full Version : TDL3 rootkit removal



apsattv
15-08-2010, 10:13 PM
I'm trying to remove this from a friends pc via Teamviewer.


Talk about a tough one!

A fully updated Eset Nod32 never saw a thing neither do most common tools, Malwarebytes, etc Hitmanpro saw a trace of it but did nothing.

Drwebcureit did see the process and removed it but it has since returned.

Has anyone had some experience with this one?

Netsukeninja
15-08-2010, 10:16 PM
http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

wainuitech
15-08-2010, 10:34 PM
Has anyone had some experience with this one? Yep -- can be a tricky one.

Run the killer through it previously posted.

If its still stubborn - Then run Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) -- It may take a while, and what ever you do DONT STOP IT - it may appear to be stopped or taking a long time leave it alone.

A few words of warning -- on Some PC's it can make them unbootable afterwards depending on the infections, so you have to know how to repair the OS if this happens.

Its NOT software to be used "willy nilly". Thats another reason it wants to install the recovery Console when you run it.

apsattv
15-08-2010, 10:41 PM
Already used tdskiller it doesnt even see it!

Not keen to run combofix yet. As I wrote i'm fixing this via Teamviewer if the machine fails to boot up at other end then other person has a problem.

Thread here about it..but no simple solution

http://www.wilderssecurity.com/showthread.php?t=279162

Could an ADMIN please shift this post to the section?

Speedy Gonzales
15-08-2010, 10:44 PM
Thats alureon rootkit isnt it?? What version of windows is it? If its 32 bit see if trojan remover removes it. I can check it out with TV if you want.

apsattv
15-08-2010, 10:50 PM
Yes, as above 32bit xp , alureon rootkit ? isn't it the same thing tdl3?

and nope trojan remover doesn't see it either!

I will have another go at it later tonight with MSE

Speedy Gonzales
15-08-2010, 10:53 PM
Send the ID and pw to me in a pm. I'll have a look. Is it in normal windows or safe mode / networking?

apsattv
15-08-2010, 11:09 PM
Thanks for the offer but they prefer not to have a total stranger looking at it.

I will try some more tools on it overnight.

Speedy Gonzales
15-08-2010, 11:13 PM
I've probably been in 1/2 of the computers on this forum. Oh well, their loss

PaulD
15-08-2010, 11:20 PM
Yes, as above 32bit xp , alureon rootkit ? isn't it the same thing tdl3?

and nope trojan remover doesn't see it either!

I will have another go at it later tonight with MSE

I've recently had an alureon variant found and fixed by MSE. Malwarebytes found nothing.

MSE hasn't found any recurrence and the odd DNS behaviour and unwanted web ads have stopped.

apsattv
15-08-2010, 11:26 PM
That's why I plan to use it.

wainuitech
15-08-2010, 11:39 PM
Thats the "Fun" part about rootkits - The buggers hide, they often need dedicated software to remove, and even then you can never be 100% sure.

They can hide from all the AV's, clone them selves with random names/properties, the moment you think they have gone - Whamo-- back again.

Combofix -- I've used it plenty of times, and only had two PC's ever fail to boot afterwards. But you have to know how to repair them if that happens.

zqwerty
16-08-2010, 12:07 AM
http://www.gmer.net/

SurferJoe46
17-08-2010, 04:43 AM
Thanks for the offer but they prefer not to have a total stranger looking at it.

I will try some more tools on it overnight.

Did you notice this:

Speedy Gonzales
Member
Join Date: Dec 2004
Location: Auckland
Posts: 32,354

If you cannot trust him with your computer for a look-see, then you've insulted him mightily. I would trust him with my wife-first born female child and my credit cards.

Maybe not my beer or bass guitars - but, hey! Ya gotta hold something dear!

GoodHour
17-08-2010, 07:52 AM
You're better off backing up data, formatting the HDD and reinstalling Windows. There is no way you can be sure the system is clean after what happened when there could be things on it that no virus checker will ever know about.

Snorkbox
17-08-2010, 08:00 AM
You're better off backing up data, formatting the HDD and reinstalling Windows. There is no way you can be sure the system is clean after what happened when there could be things on it that no virus checker will ever know about.

Possibly this may be a good idea but I don't believe it can be done remotely via Teamviewer.

Gobe1
17-08-2010, 08:47 AM
I had one recently too, ended up formatting, was easier in the end. Can be rewarding if you do remove it tho

Lawrence
17-08-2010, 09:13 AM
http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

tdsskiller saved me from a format,had a rootkit in the registry that would not delete by the usual methods

tdsskiller has been added to a USB drive along with the usual removel tools

apsattv
17-08-2010, 09:14 PM
Did you notice this:

Speedy Gonzales
Member
Join Date: Dec 2004
Location: Auckland
Posts: 32,354

If you cannot trust him with your computer for a look-see, then you've insulted him mightily. I would trust him with my wife-first born female child and my credit cards.

Maybe not my beer or bass guitars - but, hey! Ya gotta hold something dear!

I'm aware of his reputation, no disrespect was meant to him

linw
18-08-2010, 12:01 AM
Yep, I have had tdsskiller do the job on a friend's machine.

apsattv
19-08-2010, 11:43 PM
yes i know it show both eset and prevx on (prevx was actually uninstalled, has been fully removed now using their uninstall tool)


ComboFix 10-08-17.04 - macky 08/19/2010 17:21:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.303 [GMT -7:00]
Running from: c:\documents and settings\macky\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\scvideo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GOOGLEUPDATEBETA
-------\Service_GoogleUpdateBeta


((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.

2010-08-19 04:19 . 2010-08-19 04:19 -------- d-----w- c:\documents and settings\macky\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B 320485DF8CE.1
2010-08-19 04:04 . 2010-08-19 04:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-08-18 17:36 . 2010-08-18 17:36 -------- d-sh--w- c:\documents and settings\macky\IECompatCache
2010-08-15 08:42 . 2010-08-15 08:42 -------- d-----w- c:\documents and settings\macky\DoctorWeb
2010-08-15 08:19 . 2010-07-27 05:30 705208 ----a-w- c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-08-15 08:19 . 2010-07-27 05:30 978664 ----a-w- c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-08-15 07:29 . 2010-03-16 10:12 96512 ----a-w- c:\windows\system32\drivers\x001.sys
2010-08-15 06:49 . 2010-08-15 06:58 -------- d-----w- c:\documents and settings\macky\Application Data\QuickScan
2010-08-15 06:33 . 2010-08-15 06:33 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-08-15 06:33 . 2010-08-15 06:33 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-08-15 05:40 . 2010-08-15 05:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-15 05:28 . 2010-08-15 05:30 715152 ----a-w- c:\documents and settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\trunins.exe
2010-08-15 05:02 . 2010-08-15 07:56 -------- d-----w- c:\program files\Trojan Remover
2010-08-15 05:02 . 2010-08-15 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-08-15 04:25 . 2010-08-15 04:25 0 ----a-w- c:\documents and settings\macky\settings.dat
2010-08-15 04:19 . 2010-08-15 04:41 -------- d-----w- c:\program files\Prevx
2010-08-15 04:19 . 2010-08-15 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-08-15 03:29 . 2010-08-15 03:29 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-08-15 03:19 . 2010-08-15 09:53 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-15 03:19 . 2010-08-15 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-15 03:19 . 2010-08-15 03:19 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-13 07:16 . 2010-08-13 07:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-13 07:08 . 2010-08-13 07:08 -------- d-sh--w- c:\documents and settings\macky\PrivacIE
2010-08-13 07:06 . 2010-08-13 07:06 -------- d-sh--w- c:\documents and settings\macky\IETldCache
2010-08-13 06:49 . 2009-01-08 01:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-08-13 06:46 . 2010-08-13 06:52 -------- dc-h--w- c:\windows\ie8
2010-08-13 06:40 . 2010-08-13 06:40 388096 ----a-r- c:\documents and settings\macky\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-13 05:40 . 2010-08-13 05:40 -------- d-----w- c:\documents and settings\macky\Application Data\Malwarebytes
2010-08-13 05:40 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-13 05:40 . 2010-08-13 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-13 05:40 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-13 05:40 . 2010-08-13 06:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-12 22:38 . 2010-08-12 22:38 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-08-09 04:34 . 2010-08-09 04:34 -------- d-----w- c:\windows\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-08-20 00:07 . 2010-05-16 02:10 -------- d-----w- c:\documents and settings\macky\Application Data\TeamViewer
2010-08-18 20:21 . 2010-05-22 00:35 -------- d-----w- c:\program files\MyFreeCams
2010-08-05 02:24 . 2009-10-23 20:26 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 2
2010-06-23 04:37 . 2010-06-23 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SweetIM
2010-06-23 04:36 . 2010-06-23 04:36 -------- d-----w- c:\program files\SweetIM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2010-05-17 138552]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURL SearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURL SearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2010-05-17 23:55 1444664 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2010-05-17 1444664]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2010-05-17 1444664]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"GUCI_AVS"="c:\windows\PixArt\PAP7501\GUCI_AVS.exe" [2007-12-10 323584]
"PACTray"="c:\windows\PixArt\PAP7501\PACTray.exe" [2008-11-14 319488]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2010-06-07 111928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Update ESET's license.lnk - c:\program files\ESET\MiNODLogin\MiNODLogin.exe [2010-7-1 125952]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Documents and Settings\\macky\\temp\\TeamViewer\\Version4\\TeamV iewer.exe"=
"c:\\Documents and Settings\\macky\\Local Settings\\Temp\\TeamViewer\\Version5\\TeamViewer.e xe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.s ys [8/14/2010 11:33 PM 30320]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 9:03 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfw tdir.sys [11/16/2009 9:06 AM 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/16/2009 9:04 AM 735960]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [8/14/2010 11:33 PM 69736]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\macky\Desktop\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\macky\Desktop\TDL3 Razor\TizerBruteForceEx.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 GUCI_AVS;USB2.0 VGA Video Device;c:\windows\system32\drivers\GUCI_AVS.sys [5/20/2010 5:59 PM 579200]
.
Contents of the 'Scheduled Tasks' folder

2010-08-19 c:\windows\Tasks\User_Feed_Synchronization-{F6B8C286-EAA8-4D0F-9FDB-D7ED1ADB95E0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\macky\Application Data\Mozilla\Firefox\Profiles\o361hj2x.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\macky\Local Settings\Application Data\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserpl us_2.8.1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere_ _temporarily_available_pref", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-19 17:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82091ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857cfc3
\Driver\ACPI -> ACPI.sys @ 0xf84efcb8
\Driver\atapi -> x001.sys @ 0xf8481852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf838fbc3
PacketIndicateHandler -> NDIS.sys @ 0xf839bb21
SendHandler -> NDIS.sys @ 0xf838fd33
user & kernel MBR OK

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a tapi]
"ImagePath"=multi:"system32\drivers\x001.sys\00system32\drivers\iaSto r."

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a tapi]
"ImagePath"=multi:"system32\drivers\x001.sys\00system32\drivers\iaSto r."
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil 10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil1 0h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63 A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F 2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3616)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
.
************************************************** ************************
.
Completion time: 2010-08-19 17:43:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-20 00:43

Pre-Run: 26,057,293,824 bytes free
Post-Run: 26,320,887,808 bytes free

- - End Of File - - B073D1853AEA35DD7464B77EF2D3D3DC