[Inactive] Infected With TDSS Rootkit

[Hoov]

One of the staff that lives in Eastern Washington also reports some connectivity issues during the same time, although not nearly as long. That makes me thing one of the backbone routers was down. It has happened in my area as well. The outages can last from minutes to months causing gaps in the network.

Having longer boot times after running combofix seems wrong. I don't recall anyone else having that problem.  Were you able to get msconfig to run?

[soupman]

Hi Hoov,

Thanks for the connectivity update. All Greek to me.

Sorry, not sure what you mean by "run". I haven't gone further than I reported originally;
(Followed your instructions to the point of clicking apply and got a Sys Config box that said "An access denied error was returned while attempting to change a sevice. You may need to log on using an Administrator account to make the specified changes." I put everything back the way it was and exited without restart.)
Would it help to know that the same "End Program" box appeared when restarting in the second account also?

As for the longer boot time...would it help you to know exactly what stages of restart seem to be taking a long or longer time?... How about the fact that it wasn't exactly quick as a bunny to start with?

[Hoov]

It would help to know what part of the reboot is taking so long.

Can you boot to safe mode and then go to the run command and type in msconfig and then hit enter. See if you get the same Admin message. Reboot back to windows normally and let me know.

[soupman]

Hi Hoov,

Can I move those two logs off the safe mode desktop to a thumbdrive and send them to you?

[Hoov]

Which two logs? The problem we are running into is that you cannot run msconfig because the Admin rights are not correct. If you can run msconfig in safe mode, that will help determine why it will not run normally.

[soupman]

Sorry, I know you work with a lot of folks at the same time. The two logs you told me to leave on the safe mode desktop in Reply #17 on May 15.

I understand our current part.

[Hoov]

You already gave me those logs in your very next post. I then told you that your event viewer logs were clean starting on the 13th.  See post #19, that is where I asked for you to run msconfig. Everything that we had done to that point was now no longer needed. The reason for trying to run msconfig is to find out what is causing the long boot times. I think somewhere there was a miscommunication. Sorry.

[soupman]

1. Sorry again, Hoov. I'm talking about the McAfee and Malwarebytes scans in Reply #14. You probably don't want them but, if so, I saved them to a thumbdrive.

2. Went to msconfig in safe mode, logged in as Admin, followed your previous instructions again to the same point of clicking "apply", and got the same result.
Note; The End Program box is gone again. Once again, I don't know when it stopped.

3. As for the boot time, I want to say there are two areas that are considerably longer.
a) The black Win XP screen with the progress bar.
b) After I log on at the welcome screen and it's loading my settings.

[Hoov]

Can you create a new user with Admin rights? If you can, reboot the computer and logon to that user account and see if the boot time is the same. If it is, try running msconfig and see if you can follow the previous instructions in that profile.

[soupman]

Yes, created. Yes, boot time seemed the same. Msconfig did exactly the same thing. When I logged out of the test account and tryed to log into my account I got a blue screen.
Stop code 0x0000008E (0xc0000005, 0x00000400,0xADF6171c,0x00000000)
Beginning dump of physical memory

I did notice that while I was successfully rebooting to my account that it took a long time at the welcome screen. It had to think for awhile. Maybe I clicked on my account to soon the first time?

[Hoov]

Please go into your device manager and see if there are any hardware problems (yellow exclamation or red x next to a device) and if there is, let me know.

We need to see some information about what is happening in your machine.  Please perform the following scan:

• Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • DDS.scr
    
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
• Notepad will open with the results.
• Please copy and paste both logs into your next response. You may need more than one response.
• Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet. 

Information on A/V control HERE

[soupman]

Nothing but + signs in device manager.

I will run scan as requested.

Within the next 48 hrs I will have another computer moving into the house. We will share my Internet connection via wireless router. Any problems with this?

[Hoov]

As long as you have proper protection on the new computer you should be fine.

[soupman]

Hi Hoov,
Scans as requested;

DDS (Ver_2011-06-02.03) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Rand at 19:08:33 on 2011-06-02
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedLite.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\Documents and Settings\Rand\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_ActiveX.exe -update activex
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTSysVol] "c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [UpdReg] c:\windows\UpdReg.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://vmware.webex.com/client/T27L10NSP11EP13/webex/ieatgpc.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R? Lbd;Lbd
R? McSysmon;McAfee SystemGuards
R? mfesmfk;McAfee Inc. mfesmfk
R? RUBotted;Trend Micro RUBotted Service
R? TMPassthru;Trend Micro Passthru Ndis Service
S? aswFsBlk;aswFsBlk
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
S? McProxy;McAfee Proxy Service
S? McShield;McAfee Real-time Scanner
S? mfeavfk;McAfee Inc. mfeavfk
S? mfebopk;McAfee Inc. mfebopk
S? mfehidk;McAfee Inc. mfehidk
S? mferkdk;McAfee Inc. mferkdk
S? TMPassthruMP;TMPassthruMP
S? WinDefend;Windows Defender
.
=============== Created Last 30 ================
.
2011-05-31 11:55:28   6962000   ----a-w-   c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{cbb83df0-904b-4304-a7ca-16da1ff000e7}\mpengine.dll
2011-05-10 21:43:30   40648   ----a-w-   c:\windows\system32\drivers\mfesmfk.sys
2011-05-10 20:37:36   --------   d-----w-   c:\windows\system32\CatRoot2
2011-05-09 22:13:33   --------   d-sha-r-   C:\cmdcons
2011-05-09 22:08:33   89088   ----a-w-   c:\windows\MBR.exe
2011-05-09 22:08:32   98816   ----a-w-   c:\windows\sed.exe
2011-05-09 22:08:32   256512   ----a-w-   c:\windows\PEV.exe
2011-05-09 22:08:32   161792   ----a-w-   c:\windows\SWREG.exe
2011-05-06 20:25:32   388096   ----a-r-   c:\documents and settings\rand\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
.
==================== Find3M  ====================
.
2011-05-10 12:10:59   40112   ----a-w-   c:\windows\avastSS.scr
2011-05-10 12:03:54   441176   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-04-23 00:54:01   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2011-04-21 17:28:51   16968   ----a-w-   c:\windows\system32\drivers\hitmanpro35.sys
2011-03-30 17:51:44   34376   ----a-w-   c:\windows\system32\drivers\mferkdk.sys
2011-03-30 17:51:42   216008   ----a-w-   c:\windows\system32\drivers\mfehidk.sys
2011-03-30 17:51:36   80136   ----a-w-   c:\windows\system32\drivers\mfeavfk.sys
2011-03-30 17:51:36   35368   ----a-w-   c:\windows\system32\drivers\mfebopk.sys
2011-03-18 17:33:19   71072   ----a-w-   c:\windows\CouponPrinter.ocx
2011-03-07 05:33:50   692736   ----a-w-   c:\windows\system32\inetcomm.dll
.
============= FINISH: 19:09:53.14 ===============

[Hoov]

I think I found one problem, and I have no idea why I did not notice it right from the getgo. You have both Avast and McAfee running at the same time. You need to uninstall one of them. Two antivirus's running at the same time is a bad thing and can cause stability problems.