Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Some kind of TDL4/Tiderv! Variant [Closed]


  • This topic is locked This topic is locked

#1
Muttz

Muttz

    New Member

  • Member
  • Pip
  • 1 posts
Well, Happy New Year everyone! I hope that everyone had a happy holiday season, whatever you happen to celebrate.

I have been fighting a nasty stealth rootkit for months. Everything in my house is infected, including my iphone, hotmail and facebook. The ironic thing is that I hate Facebook and only log in a couple of times a month.

This thing started to take a turn for the worse in October. Previously, I would be able to keep the computers clean for 4-6 weeks at a time. Now, they don't last an hour. I am currently working on my desktop.

For antivirus, I have tried Norton, Eset and Bit Defender. All of them just allowed this thing to walk right through the firewall. I'm currently using Kaspersky and it seems to be the best so far. The OS is Vista Ultimate 64. I usually use Win 7, but since I belong to technet, those disks are burned and I don't trust them. The Vista disk is factory-made.

I just don't know how this thing keeps coming back. When I reinstall, I wipe the disks with Active Killdisk. From what I have read, that one is one of the better ones. It gets right down to track 0. The last time that I did it, I checked - the whole disk was zeros. There were no extra partitions. I checked in g-parted. (I have seen small 993 kb partitions in the past). I took the hard drive out and flashed the bios just in case it was in there. I then re-installed the HD and installed Vista and Kaspersky.

I was reinfected within minutes.

First, the port scans start. The firewall gets hammered with port scans every 10th of a second. They eventually break through. After that, whatever AV that I am using is done. If you check the logs, you will see notices that the service for the AV couldn't start. All of the firewall programs give you different information. When I was using Bit Defender, you would see that a "non-ip packet" was allowed through, and the first 40 bytes in hex would be listed. These messages would pop up every few minutes. After awhile, these packets would just start pouring through the firewall. There would be pages of them at at time. Kaspersky doesn't do that, but it wasn't long before the Rootkit scan was disabled. The regular protection fell just after.

On Friday, I was completely fed up. I thought that there must be something on the hard drives that I couldn't see in Windows or Linux. I bought a brand new drive. I got my computer store to download my bios onto a cd for me. I went home. I removed the old hard drive. I flashed the bios and installed the new hd. I again installed Vista and Kaspersky. I set everything that I could in Kaspersky to the settings for a hostile environment.

Unbloody believable. (Actually, I can't repeat what I said, lol) I clicked on IE about 3/4 of the way through the Windows update process and Kaspersky gave me a pop up that said an encrypted SSL connection was being made. It shouldn't have been. I installed Firefox and more detailed warnings started to pop up.

"Firefox.exe cannot confirm the authenticity for s-static.ak.fbcdn.net as a trusted vendor.

Possible Reasons:

- certificate center is unknown
- server is incorrectly configured
- you are connected to the intruder's server

Remote address: 23.1.177
Remote port: 443

And when I told it not to accept the connection, another warning popped up. It was the same as above, but the url was *.facebook.com. The remote address was 66.220.146.87 and the port, again, was 443.

Honestly, this is the most info that I have gotten from an AV program so far. At least I know what I am dealing with now, but HOW are they finding me? It was a new hard drive!
The only other possibilities are that my iphone is somehow reinfecting me. The Safari browser in the phone is getting redirects to that s-static.ak.fbcdn.net address, but it hasn't been on the network for over a month. The router is broken. I can no longer log into it. Or, it's coming from my isp, maybe? I don't know.

This thing is the spawn of Satan.

So, I had a couple of hours yesterday and I ran OTL listing. And, yes, I ran Combofix. It was no big deal if something bad happened. I still have the log.

This morning, I disabled all the add-ins for Firefox. I went into options and clicked on Applications. There was an irc and ircs listed. When I clicked on either one of them, I got another pop-up. Both were connecting to www.mibbit.com/443. I disabled that. The notices about the SSL connection still popped up, but a second later another notice said that the connection was terminated.

Under Mail, Google and Yahoo were listed. The messages for both of them were:

The Certificate is not trusted because the issuer certificate is not valid. This could be a problem with the server's configuration or it could be someone trying to impersonate the server.

I just changed that to Windows mail and the messages went away.

I then came here and followed the directions for "How to Remove Google Redirects." TDSS Killer didn't find anything.

It worked for a few minutes. I was seeing the Open DNS logo on my Google searches, but the redirects are back.

And here I am. This is the OTL listing after completing all of these steps. I'd really appreciate it if someone could have a look. I need a break. This is the first time that a piece of malware has beaten me.

Thanks,
June


OTL logfile created on: 1/1/2012 8:57:15 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Me\Desktop
64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 6.33 Gb Available Physical Memory | 79.14% Memory free
16.05 Gb Paging File | 14.42 Gb Available in Paging File | 89.86% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.51 Gb Total Space | 855.54 Gb Free Space | 91.84% Space Free | Partition Type: NTFS

Computer Name: QUAD | User Name: June | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Me\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe (Kaspersky Lab)
PRC - C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe (Infowatch)


========== Modules (No Company Name) ==========

MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\QtGui4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\QtCore4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\localization_manager.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\dblite.dll ()


========== Win32 Services (SafeList) ==========

SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AVP) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe (Kaspersky Lab)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (CSObjectsSrv) -- C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe (Infowatch)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (KLIF) -- C:\Windows\SysNative\DRIVERS\klif.sys (Kaspersky Lab)
DRV:64bit: - (CSCrySec) -- C:\Windows\SysNative\DRIVERS\CSCrySec.sys (Infowatch)
DRV:64bit: - (CSVirtualDiskDrv) -- C:\Windows\SysNative\DRIVERS\CSVirtualDiskDrv.sys (Infowatch)
DRV:64bit: - (KLBG) -- C:\Windows\SysNative\DRIVERS\klbg.sys (Kaspersky Lab)
DRV:64bit: - (klmouflt) -- C:\Windows\SysNative\DRIVERS\klmouflt.sys (Kaspersky Lab)
DRV:64bit: - (KLIM6) -- C:\Windows\SysNative\DRIVERS\klim6.sys (Kaspersky Lab)
DRV:64bit: - (kl1) -- C:\Windows\SysNative\DRIVERS\kl1.sys (Kaspersky Lab)
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\DRIVERS\ASACPI.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 40 FD CD 04 F4 C7 CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/01/01 11:47:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\THBExt [2011/12/30 23:50:58 | 000,000,000 | ---D | M]

[2012/01/01 13:16:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/01/01 13:16:21 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]
[2011/12/21 02:24:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/12/20 23:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/12/20 23:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/12/31 18:25:24 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\ievkbd.dll (Kaspersky Lab)
O2:64bit: - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll (Kaspersky Lab)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O4 - HKLM..\Run: [AVP] C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe (Kaspersky Lab)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4:64bit: - HKLM..\RunOnce: [NoIE4StubProcessing] C:\Windows\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 60
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9:64bit: - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll (Kaspersky Lab)
O9:64bit: - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194 24.226.1.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9B0985A9-BC20-4D53-BF43-F7E04751B6FD}: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194 24.226.1.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9B0985A9-BC20-4D53-BF43-F7E04751B6FD}: NameServer = 208.67.222.222,208.67.220.220
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\x64\kloehk.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\kloehk.dll (Kaspersky Lab)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\x64\sbhook64.dll) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\sbhook64.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll) -C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll) -C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\sbhook.dll (Kaspersky Lab)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\klogon: DllName - (%SystemRoot%\System32\klogon.dll) - C:\Windows\SysNative\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img23.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img23.jpg
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/01 18:42:06 | 000,000,000 | ---D | C] -- C:\Users\June\Desktop\GooredFix Backups
[2012/01/01 18:38:13 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/01/01 11:47:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2011/12/31 18:33:31 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/31 18:25:26 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2011/12/31 18:11:07 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/31 18:11:07 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/31 18:11:07 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/31 18:11:04 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/31 18:11:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/31 15:31:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Portable Devices
[2011/12/31 15:31:32 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\spool
[2011/12/31 15:31:31 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
[2011/12/31 14:44:41 | 004,358,797 | R--- | C] (Swearware) -- C:\Users\June\Desktop\ComboFix.exe
[2011/12/31 14:43:44 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\June\Desktop\OTL.exe
[2011/12/31 13:24:59 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\vi-VN
[2011/12/31 13:24:59 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\eu-ES
[2011/12/31 13:24:59 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\ca-ES
[2011/12/31 13:24:58 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\vi-VN
[2011/12/31 13:24:58 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\eu-ES
[2011/12/31 13:24:58 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\ca-ES
[2011/12/31 13:22:48 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SPReview
[2011/12/31 03:40:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2011/12/31 03:00:19 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\EventProviders
[2011/12/31 02:41:54 | 000,000,000 | ---D | C] -- C:\Windows\Debug
[2011/12/31 02:39:47 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\WindowsPowerShell
[2011/12/31 02:39:43 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\WindowsPowerShell
[2011/12/31 02:35:24 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonBJ
[2011/12/31 02:34:19 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2011/12/31 02:32:29 | 000,000,000 | ---D | C] -- C:\Windows\CSC
[2011/12/31 02:31:19 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2011/12/31 02:31:10 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2011/12/31 02:30:19 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2011/12/31 02:30:02 | 000,000,000 | ---D | C] -- C:\Boot
[2011/12/31 00:38:34 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2011/12/31 00:38:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2011/12/31 00:37:36 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2011/12/31 00:37:23 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2011/12/30 23:59:22 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\June\Desktop\TDSSKiller.exe
[2011/12/30 23:51:21 | 000,085,048 | ---- | C] (Infowatch) -- C:\Windows\SysNative\drivers\CSCrySec.sys
[2011/12/30 23:51:21 | 000,066,104 | ---- | C] (Infowatch) -- C:\Windows\SysNative\drivers\CSVirtualDiskDrv.sys
[2011/12/30 23:51:20 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2011/12/30 23:50:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\InfoWatch
[2011/12/30 23:50:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky PURE
[2011/12/30 23:50:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2011/12/30 23:50:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Kaspersky Lab
[2011/12/30 23:50:33 | 000,353,296 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysNative\drivers\klif.sys
[2011/12/30 23:49:34 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2011/12/30 23:49:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2011/12/30 23:44:11 | 000,000,000 | R--D | C] -- C:\Users\June\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2011/12/30 23:44:11 | 000,000,000 | R--D | C] -- C:\Users\June\Searches
[2011/12/30 23:44:11 | 000,000,000 | R--D | C] -- C:\Users\June\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011/12/30 23:44:03 | 000,000,000 | ---D | C] -- C:\Users\June\AppData\Roaming\Identities
[2011/12/30 23:44:00 | 000,000,000 | R--D | C] -- C:\Users\June\Contacts
[2011/12/30 23:43:59 | 000,000,000 | ---D | C] -- C:\Users\June\AppData\Local\VirtualStore
[2011/12/30 23:43:55 | 000,000,000 | --SD | C] -- C:\Users\June\AppData\Roaming\Microsoft
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\Videos
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\Saved Games
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\Pictures
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\Music
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\Links
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\Favorites
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\Downloads
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\Documents
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\Desktop
[2011/12/30 23:43:55 | 000,000,000 | R--D | C] -- C:\Users\June\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\AppData\Local\Temporary Internet Files
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\Templates
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\Start Menu
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\SendTo
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\Recent
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\PrintHood
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\NetHood
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\Documents\My Videos
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\Documents\My Pictures
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\Documents\My Music
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\My Documents
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\Local Settings
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\AppData\Local\History
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\Cookies
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\Application Data
[2011/12/30 23:43:55 | 000,000,000 | -HSD | C] -- C:\Users\June\AppData\Local\Application Data
[2011/12/30 23:43:55 | 000,000,000 | -H-D | C] -- C:\Users\June\AppData
[2011/12/30 23:43:55 | 000,000,000 | ---D | C] -- C:\Users\June\AppData\Local\Temp
[2011/12/30 23:43:55 | 000,000,000 | ---D | C] -- C:\Users\June\AppData\Local\Microsoft
[2011/12/30 23:43:55 | 000,000,000 | ---D | C] -- C:\Users\June\AppData\Roaming\Media Center Programs

========== Files - Modified Within 30 Days ==========

[2012/01/01 20:58:00 | 000,000,432 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{BF08CD2D-CEB4-4F04-A569-AB49EA162061}.job
[2012/01/01 20:46:25 | 000,002,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/01 20:46:25 | 000,002,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/01 18:53:33 | 000,703,388 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/01/01 18:53:33 | 000,604,264 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/01/01 18:53:33 | 000,103,964 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/01/01 18:46:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/01 11:47:38 | 000,000,888 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/01/01 10:58:25 | 000,008,798 | ---- | M] () -- C:\Windows\SysWow64\icrav03.rat
[2012/01/01 10:58:25 | 000,008,798 | ---- | M] () -- C:\Windows\SysNative\icrav03.rat
[2012/01/01 10:58:25 | 000,001,988 | ---- | M] () -- C:\Windows\SysWow64\ticrf.rat
[2012/01/01 10:58:25 | 000,001,988 | ---- | M] () -- C:\Windows\SysNative\ticrf.rat
[2012/01/01 10:58:14 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/01/01 10:58:10 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2011/12/31 18:25:24 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/12/31 15:34:17 | 000,229,160 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/12/31 15:31:15 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2011/12/31 14:45:38 | 000,000,134 | ---- | M] () -- C:\Users\June\Desktop\Internet Explorer Troubleshooting.url
[2011/12/31 14:44:47 | 004,358,797 | R--- | M] (Swearware) -- C:\Users\June\Desktop\ComboFix.exe
[2011/12/31 14:43:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\June\Desktop\OTL.exe
[2011/12/31 14:21:09 | 000,000,973 | ---- | M] () -- C:\Users\June\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/12/31 02:35:49 | 000,049,052 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2011/12/31 02:34:30 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2011/12/31 02:30:04 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2011/12/31 00:11:41 | 000,000,732 | ---- | M] () -- C:\Users\June\AppData\Local\d3d9caps64.dat
[2011/12/30 23:59:29 | 000,152,233 | ---- | M] () -- C:\Windows\SysNative\drivers\klin.dat
[2011/12/30 23:59:28 | 000,107,177 | ---- | M] () -- C:\Windows\SysNative\drivers\klick.dat
[2011/12/30 23:50:33 | 000,353,296 | ---- | M] (Kaspersky Lab) -- C:\Windows\SysNative\drivers\klif.sys
[2011/12/23 14:52:26 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\June\Desktop\TDSSKiller.exe

========== Files Created - No Company Name ==========

[2012/01/01 11:47:38 | 000,000,900 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/01/01 11:47:38 | 000,000,888 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/01/01 10:58:14 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/01/01 10:58:10 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2011/12/31 18:11:07 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/31 18:11:07 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/31 18:11:07 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/31 18:11:07 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/31 18:11:07 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/31 15:31:15 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2011/12/31 14:45:33 | 000,000,134 | ---- | C] () -- C:\Users\June\Desktop\Internet Explorer Troubleshooting.url
[2011/12/31 14:30:58 | 000,000,432 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{BF08CD2D-CEB4-4F04-A569-AB49EA162061}.job
[2011/12/31 13:08:22 | 000,395,723 | ---- | C] () -- C:\Windows\SysNative\onex.tmf
[2011/12/31 13:08:15 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2011/12/31 13:08:07 | 000,009,212 | ---- | C] () -- C:\Windows\SysWow64\RacUR.xml
[2011/12/31 13:08:07 | 000,009,212 | ---- | C] () -- C:\Windows\SysNative\RacUR.xml
[2011/12/31 13:08:07 | 000,000,153 | ---- | C] () -- C:\Windows\SysWow64\RacUREx.xml
[2011/12/31 13:08:07 | 000,000,153 | ---- | C] () -- C:\Windows\SysNative\RacUREx.xml
[2011/12/31 13:07:51 | 000,471,992 | ---- | C] () -- C:\Windows\SysNative\dot3.tmf
[2011/12/31 13:07:40 | 000,700,507 | ---- | C] () -- C:\Windows\SysNative\eaphost.tmf
[2011/12/31 13:07:38 | 000,121,856 | ---- | C] () -- C:\Windows\SysNative\EhStorAuthn.dll
[2011/12/31 13:07:38 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2011/12/31 13:06:20 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2011/12/31 13:06:20 | 000,107,612 | ---- | C] () -- C:\Windows\SysNative\StructuredQuerySchema.bin
[2011/12/31 13:06:18 | 000,262,552 | ---- | C] () -- C:\Windows\SysNative\systemsf.ebd
[2011/12/31 13:06:12 | 000,207,968 | ---- | C] () -- C:\Windows\SysNative\WFP.TMF
[2011/12/31 13:06:07 | 000,092,918 | ---- | C] () -- C:\Windows\SysWow64\slmgr.vbs
[2011/12/31 13:06:07 | 000,092,918 | ---- | C] () -- C:\Windows\SysNative\slmgr.vbs
[2011/12/31 13:06:07 | 000,009,239 | ---- | C] () -- C:\Windows\SysWow64\spcinstrumentation.man
[2011/12/31 13:06:07 | 000,009,239 | ---- | C] () -- C:\Windows\SysNative\spcinstrumentation.man
[2011/12/31 02:45:07 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
[2011/12/31 02:45:07 | 000,018,904 | ---- | C] () -- C:\Windows\SysNative\StructuredQuerySchemaTrivial.bin
[2011/12/31 02:45:04 | 011,967,524 | ---- | C] () -- C:\Windows\SysWow64\korwbrkr.lex
[2011/12/31 02:45:04 | 011,967,524 | ---- | C] () -- C:\Windows\SysNative\korwbrkr.lex
[2011/12/31 02:38:18 | 000,201,184 | ---- | C] () -- C:\Windows\SysWow64\winrm.vbs
[2011/12/31 02:38:18 | 000,201,184 | ---- | C] () -- C:\Windows\SysNative\winrm.vbs
[2011/12/31 02:38:18 | 000,004,675 | ---- | C] () -- C:\Windows\SysWow64\wsmanconfig_schema.xml
[2011/12/31 02:38:18 | 000,004,675 | ---- | C] () -- C:\Windows\SysNative\wsmanconfig_schema.xml
[2011/12/31 02:38:18 | 000,002,426 | ---- | C] () -- C:\Windows\SysWow64\WsmTxt.xsl
[2011/12/31 02:38:18 | 000,002,426 | ---- | C] () -- C:\Windows\SysNative\WsmTxt.xsl
[2011/12/31 02:34:30 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2011/12/31 02:30:04 | 000,008,192 | R-S- | C] () -- C:\BOOTSECT.BAK
[2011/12/31 02:30:02 | 000,333,257 | RHS- | C] () -- C:\bootmgr
[2011/12/31 00:20:49 | 002,608,861 | ---- | C] () -- C:\Windows\SysNative\wlan.tmf
[2011/12/31 00:05:52 | 000,004,984 | ---- | C] () -- C:\Windows\SysNative\drivers\nvphy.bin
[2011/12/31 00:03:55 | 000,000,973 | ---- | C] () -- C:\Users\June\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/12/30 23:51:46 | 000,152,233 | ---- | C] () -- C:\Windows\SysNative\drivers\klin.dat
[2011/12/30 23:51:46 | 000,107,177 | ---- | C] () -- C:\Windows\SysNative\drivers\klick.dat
[2011/12/30 23:44:15 | 000,000,949 | ---- | C] () -- C:\Users\June\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2011/12/30 23:44:13 | 000,000,979 | ---- | C] () -- C:\Users\June\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2011/12/30 23:44:10 | 000,000,974 | ---- | C] () -- C:\Users\June\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2011/12/30 23:44:00 | 000,000,915 | ---- | C] () -- C:\Users\June\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
[2011/12/30 23:43:57 | 000,000,732 | ---- | C] () -- C:\Users\June\AppData\Local\d3d9caps64.dat
[2011/12/30 23:43:55 | 000,000,258 | ---- | C] () -- C:\Users\June\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/12/30 23:43:55 | 000,000,240 | ---- | C] () -- C:\Users\June\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2008/01/20 21:49:10 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2006/11/02 10:35:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2006/11/02 07:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2006/11/02 07:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2006/11/02 04:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

========== LOP Check ==========

[2012/01/01 18:45:12 | 000,012,284 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/01/01 20:58:00 | 000,000,432 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{BF08CD2D-CEB4-4F04-A569-AB49EA162061}.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Hi,

please post the log from ComboFix. Am I to understand that you have a Linux/Windows dualboot? Or did you just work from Linux live-cds when working on the PC with Linux? What distributions do you have at hand?

regards myrti
  • 0

#3
myrti

myrti

    Expert

  • Expert
  • 2,580 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP