Jump to content

jd500

Members
  • Posts

    13
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hello - I am running Malwarebytes' Anti-Malware version 1.36. My database version is 1945 dated 4/6/09. When I try to "check for updates," I receive an error dialog that says "Update failed. Make sure you are connected to the Internet and your firewall is set to allow Malwarebytes' Anti-Malware to access the internet." I am connected to the internet...able to browse etc. I do have the ZoneAlarm firewall installed but I have double checked that MBAM is allowed access. Please advise on how I can get back to updating and using MBAM. Thanks, JD
  2. Tigger - sure, I'll do that from home later tonight. Thanks - JD
  3. Tigger93 - Here's the mbam log. BTW - this was the first time I was able to run Malwarebytes under it's proper name. Things look good from this end. It seems like that last dose of combofix did the trick. Please let me know if there is anything else I need to do. I really appreciate all you did to help me through this. JD Malwarebytes' Anti-Malware 1.32 Database version: 1617 Windows 5.1.2600 Service Pack 3 2009-01-05 07:30:22 mbam-log-2009-01-05 (07-30-22).txt Scan type: Quick Scan Objects scanned: 64957 Time elapsed: 9 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  4. Tigger - here are the combofix and HJT logs. Notes of interest...on the infected computer, Firefox couldn't download combofix. It found the URL and file okay but the "save" button was disabled. Thanks - JD ComboFix 08-12-31.01 - jadavis1 2009-01-01 19:50:28.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1432 [GMT -6:00] Running from: d:\documents and settings\jadavis1\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\Downloaded Program Files\setup.inf c:\winnt\IE4 Error Log.txt c:\winnt\system32\hosopovo.dll c:\winnt\system32\osakusov.ini c:\winnt\system32\pWGhRXyb.ini c:\winnt\system32\pWGhRXyb.ini2 c:\winnt\system32\UACdlvmktiq.dll c:\winnt\system32\UACfubqtoep.dll c:\winnt\system32\UAClxlujxjx.dll c:\winnt\system32\UACmqltodww.dat c:\winnt\system32\UACyyfxapto.dll c:\winnt\system32\zahuzewi.dll d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat d:\documents and settings\jadavis1\Local Settings\Temporary Internet Files\fbk.sts ----- BITS: Possible infected sites ----- hxxp://77.74.48.101 hxxp://JSC-SMSCAP09:8889 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 ))))))))))))))))))))))))))))))) . 2009-01-01 01:44 . 2009-01-01 01:44 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2008-12-29 19:46 . 2009-01-01 01:17 135,168 --a------ C:\zip.exe 2008-12-29 19:46 . 2009-01-01 01:17 19,286 --a------ C:\cleanup.exe 2008-12-29 19:46 . 2009-01-01 01:17 574 --a------ C:\cleanup.bat 2008-12-29 19:46 . 2008-12-29 19:46 0 --a------ C:\backup.reg 2008-12-29 04:23 . 2008-12-29 04:23 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-12-29 03:56 . 2008-12-29 04:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-27 21:21 . 2008-12-27 21:22 <DIR> d-------- c:\temp\Zonealarm 2008-12-27 00:56 . 2008-12-27 00:56 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\Malwarebytes 2008-12-27 00:42 . 2008-12-27 00:42 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-27 00:42 . 2008-12-03 19:54 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys 2008-12-27 00:42 . 2008-12-03 19:54 15,504 --a------ c:\winnt\system32\drivers\mbam.sys 2008-12-26 12:10 . 2008-12-26 12:10 2,713 ---hs---- c:\winnt\system32\ridogeku.exe 2008-12-26 09:21 . 2008-12-27 00:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-25 03:44 . 2009-01-01 19:54 2,206 --a------ c:\winnt\system32\wpa.dbl 2008-12-24 22:37 . 2008-12-27 01:06 1,744 --ah----- c:\winnt\system32\karesabi 2008-12-24 14:08 . 2008-12-24 14:14 <DIR> d-------- c:\temp\Chrome 2008-12-24 14:06 . 2008-12-29 03:53 <DIR> d-------- c:\temp\Spybot 2008-12-24 14:06 . 2008-12-24 14:07 <DIR> d-------- c:\temp\Malwarebytes 2008-12-24 06:33 . 2008-12-29 04:04 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-24 05:09 . 2008-12-24 05:08 102,664 --a------ c:\winnt\system32\drivers\tmcomm.sys 2008-12-24 05:08 . 2008-12-24 05:09 <DIR> d-------- d:\documents and settings\jadavis1\.housecall6.6 2008-12-23 06:02 . 2008-12-23 06:02 <DIR> d-------- c:\program files\Trend Micro 2008-12-23 06:01 . 2008-12-23 06:02 <DIR> d-------- c:\program files\Hijack This 2008-12-19 15:04 . 2008-12-19 15:04 <DIR> d-------- c:\program files\Microsoft Works 2008-12-18 12:54 . 2008-12-18 12:54 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\webex 2008-12-18 09:03 . 2001-08-17 13:48 12,160 --a------ c:\winnt\system32\drivers\mouhid.sys 2008-12-18 09:03 . 2001-08-17 13:48 12,160 --a--c--- c:\winnt\system32\dllcache\mouhid.sys 2008-12-18 09:03 . 2008-04-13 13:45 10,368 --a------ c:\winnt\system32\drivers\hidusb.sys 2008-12-18 09:03 . 2008-04-13 13:45 10,368 --a--c--- c:\winnt\system32\dllcache\hidusb.sys 2008-12-18 07:20 . 2008-09-08 04:41 333,824 -----c--- c:\winnt\system32\dllcache\srv.sys 2008-12-18 07:09 . 2008-09-04 11:15 1,106,944 -----c--- c:\winnt\system32\dllcache\msxml3.dll 2008-12-18 07:04 . 2008-09-15 06:12 1,846,400 -----c--- c:\winnt\system32\dllcache\win32k.sys 2008-12-18 07:00 . 2008-08-14 04:11 2,189,184 -----c--- c:\winnt\system32\dllcache\ntoskrnl.exe 2008-12-18 07:00 . 2008-08-14 04:09 2,145,280 -----c--- c:\winnt\system32\dllcache\ntkrnlmp.exe 2008-12-18 07:00 . 2008-08-14 03:33 2,066,048 -----c--- c:\winnt\system32\dllcache\ntkrnlpa.exe 2008-12-18 07:00 . 2008-08-14 03:33 2,023,936 -----c--- c:\winnt\system32\dllcache\ntkrpamp.exe 2008-12-18 06:55 . 2008-10-24 05:21 455,296 -----c--- c:\winnt\system32\dllcache\mrxsmb.sys 2008-12-18 06:52 . 2008-12-19 13:05 <DIR> d--h----- c:\winnt\$hf_mig$ 2008-12-15 15:09 . 2008-12-15 15:09 <DIR> d-------- c:\winnt\ms 2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\Intel 2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\NetworkService\Application Data\Intel 2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\LocalService\Application Data\Intel 2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\Intel 2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\Intel 2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\All Users\Application Data\Intel 2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\Administrator\Application Data\Intel 2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d----c--- c:\winnt\system32\DRVSTORE 2008-12-15 14:55 . 2008-12-15 14:55 21,361 --a------ c:\winnt\system32\drivers\AegisP.sys 2008-12-15 14:55 . 2008-12-15 14:55 21,361 --a------ c:\winnt\AegisP.sys 2008-12-15 14:55 . 2008-12-15 14:55 13,984 --a------ c:\winnt\AegisP.inf 2008-12-15 14:55 . 2008-12-15 14:55 10,640 --a------ c:\winnt\AegisP.cat 2008-12-15 14:54 . 2008-12-15 14:54 <DIR> d-------- c:\program files\Intel 2008-12-15 14:10 . 2009-01-01 19:39 <DIR> d-------- c:\winnt\system32\VPCache 2008-12-15 14:09 . 2008-12-15 14:09 <DIR> d-------- c:\program files\PatchLink 2008-12-15 14:08 . 2008-12-15 14:09 <DIR> d-------- d:\documents and settings\All Users\Application Data\AtHocGov 2008-12-15 14:08 . 2008-12-15 14:08 <DIR> d-------- c:\program files\AtHocGov 2008-12-15 14:02 . 2008-12-15 14:02 <DIR> d-------- d:\documents and settings\jadavis1\Entrust Profile 2008-12-15 13:58 . 2005-04-07 06:42 <DIR> d--hs---- d:\documents and settings\jadavis1\UserData 2008-12-15 13:58 . 2007-01-18 09:04 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\Talkback 2008-12-15 13:58 . 2007-02-14 08:49 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\OfficeUpdate12 2008-12-15 13:58 . 2008-06-16 13:23 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\Apple Computer 2008-12-15 13:58 . 2005-09-21 19:00 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\AdobeUM 2008-12-15 13:58 . 2008-12-24 05:08 <DIR> d-------- d:\documents and settings\jadavis1 2008-12-15 13:42 . 2005-04-07 06:42 <DIR> d---s---- d:\documents and settings\dwadyka\UserData 2008-12-15 13:42 . 2007-01-18 09:04 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\Talkback 2008-12-15 13:42 . 2007-02-14 08:49 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\OfficeUpdate12 2008-12-15 13:42 . 2008-06-16 13:23 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\Apple Computer 2008-12-15 13:42 . 2005-09-21 19:00 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\AdobeUM 2008-12-15 13:42 . 2008-12-15 13:42 <DIR> d-------- d:\documents and settings\dwadyka 2008-12-15 13:20 . 2008-12-15 13:20 <DIR> d-------- c:\winnt\SchCache 2008-12-15 13:19 . 2008-12-15 15:10 <DIR> d-------- c:\winnt\system32\ccmsetup 2008-12-15 13:19 . 2008-12-15 15:09 <DIR> d-------- c:\winnt\system32\CCM 2008-12-15 13:15 . 2008-12-15 13:15 <DIR> d-------- d:\documents and settings\tech-tbt\WINDOWS 2008-12-15 13:15 . 2008-12-15 13:15 <DIR> d-------- c:\program files\QPC 2008-12-15 13:15 . 2005-08-22 07:06 283,648 --a------ c:\winnt\uninst.exe 2008-12-15 13:15 . 1998-10-11 11:39 45,056 --a------ c:\winnt\system32\Smtp.dll 2008-12-15 13:15 . 1999-01-11 18:06 36,864 --a------ c:\winnt\system32\QvtNet.dll 2008-12-15 13:13 . 2004-08-31 12:29 419,328 --a------ c:\winnt\system32\UDPMulticast.exe 2008-12-15 13:13 . 2008-08-07 15:59 163,173 --a------ c:\winnt\system32\chkusr.EXE 2008-12-15 13:13 . 2003-11-26 14:32 40,960 --a------ c:\winnt\system32\dfrgusr.EXE 2008-12-15 13:13 . 2003-11-26 14:32 24,576 --a------ c:\winnt\system32\srvagnt.exe 2008-12-15 13:10 . 2008-12-15 13:12 <DIR> d-------- C:\IDS 2008-12-15 13:10 . 2008-10-22 15:40 51,262 --a------ c:\winnt\system32\srp.ico 2008-12-15 13:09 . 2005-04-07 06:42 <DIR> d---s---- d:\documents and settings\tech-tbt\UserData 2008-12-15 13:09 . 2007-01-18 09:04 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\Talkback 2008-12-15 13:09 . 2007-02-14 08:49 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\OfficeUpdate12 2008-12-15 13:09 . 2008-06-16 13:23 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\Apple Computer 2008-12-15 13:09 . 2005-09-21 19:00 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\AdobeUM 2008-12-15 13:09 . 2008-12-15 13:19 <DIR> d-------- d:\documents and settings\tech-tbt 2008-12-15 10:31 . 2008-12-15 10:31 4,444 --a------ c:\winnt\system32\pid.PNF . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-21 10:04 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-19 22:36 --------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-15 19:12 --------- d-----w c:\program files\Timbuktu Pro 2007-07-22 20:41 161,792 ----a-w c:\winnt\inf\b57xp32.sys 2007-07-22 20:41 157,648 ----a-w c:\winnt\inf\b57w2k.sys 2008-07-02 18:36 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-07-02 18:36 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-07-02 18:36 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-07-02 18:36 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-07-02 18:36 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2004-08-04 06:56 73,728 --sha-w c:\winnt\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632] "TLogonPath"="c:\program files\Timbuktu Pro\tb2logon.exe" [2002-02-08 143360] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "PDDM"="c:\program files\PatchLink\Update Agent\pddm.exe" [2008-04-28 843776] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-03-04 999424] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-03-04 1101824] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840] "AtHocGov"="c:\program files\AtHocGov\AtHocGov.exe" [2008-03-21 537248] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "LogonType"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWebServices"= 1 (0x1) "NoOnlinePrintsWizard"= 1 (0x1) "NoPublishingWizard"= 1 (0x1) "NoWelcomeScreen"= 1 (0x1) "PreXPSP2ShellProtocolBehavior"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoInplaceSharing"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IDSnetwork] 2008-08-11 06:13 86016 c:\ids\bin\IDSnetwork.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro] 2002-02-08 22:05 81973 c:\program files\Timbuktu Pro\HOOK32.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0] "Script"=SMS\SMSGPOShutdown.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=SMS\SMSGPOStartup.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=c:\winnt\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\Msmsgs.exe"= "c:\\Program Files\\Timbuktu Pro\\tb2launch.exe"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"= "c:\\Program Files\\Common Files\\Symantec Shared\\SPBBC\\SPBBCSvc.exe"= R0 a320raid;a320raid;c:\winnt\system32\DRIVERS\a320raid.sys [2005-04-08 251578] R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys [] R2 ETFSDNT;Entrust File System Hook;\??\c:\winnt\system32\etfsdrv.sys [2004-03-25 52224] R2 IDSservice;IDSservice;c:\ids\bin\IDSservice.exe [2008-08-11 200704] R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-06-06 116928] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-04 99376] R3 GTIPCI21;GTIPCI21;c:\winnt\system32\DRIVERS\gtipci21.sys [2007-07-19 88192] R3 IFXTPM;IFXTPM;c:\winnt\system32\DRIVERS\IFXTPM.SYS [2006-06-05 36352] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2009-01-02 c:\winnt\Tasks\qtkfwhmj.job - c:\winnt\system32\rundll32.exe [2008-04-13 18:12] . - - - - ORPHANS REMOVED - - - - BHO-{0D8FD76A-7499-402F-AB98-97C40808FBA3} - c:\winnt\system32\byXRhGWp.dll__BHODemonDisabled HKLM-Run-IDTSysTrayApp - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www6.jsc.nasa.gov IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: *.nasa.gov Trusted Zone: webmail.jsc.nasa.gov FF - ProfilePath - d:\documents and settings\jadavis1\Application Data\Mozilla\Firefox\Profiles\1tlipv7d.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-01 19:55:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL*
  5. Tigger - Looks like that worked. Even though I couldn't see the file...it appears that Avenger could. Let me know what we should do next. Thanks, JD Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. Hidden driver "UACd.sys" found! ImagePath: \systemroot\system32\drivers\UACwbpjyeqr.sys Start Type: 1 (System) Rootkit scan completed. File "C:\WINNT\system32\drivers\UACwbpjyeqr.sys" deleted successfully. Completed script processing. ******************* Finished! Terminate.
  6. Here's the new log. I don't have a "Windows" directory on my C drive. Maybe that's why it didn't find the file. When I look for the file under \WINNT\system32\drivers, I can't find it either. BTW - I did a find in regedit on "UAC" and found a couple of entries but not this same exact filename. Thanks again for your help...from the traffic on the forum it looks like things are extremely busy right now. JD Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. Hidden driver "UACd.sys" found! ImagePath: \systemroot\system32\drivers\UACwbpjyeqr.sys Start Type: 1 (System) Rootkit scan completed. Error: could not open file "C:\WINDOWS\system32\drivers\UACwbpjyeqr.sys" Deletion of file "C:\WINDOWS\system32\drivers\UACwbpjyeqr.sys" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Completed script processing. ******************* Finished! Terminate.
  7. Hey Tigger - I was able to get Avenger and run it on the infected PC. Here is the log it generated. Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. Hidden driver "UACd.sys" found! ImagePath: \systemroot\system32\drivers\UACwbpjyeqr.sys Start Type: 1 (System) Rootkit scan completed. Error: could not open file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\windows\system32\drivers\tdssserv.sys" Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\system32\drivers\TDSSmact.sys" Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" Deletion of file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\system32\TDSSwpyd.dat" Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\system32\TDSStkdv.log" Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\system32\TDSSotxb.dll" Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\system32\TDSScrrn.dll" Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\system32\TDSSbvqh.dll" Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\system32\TDSSjnmx.dll" Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSShrxr.dll" Deletion of file "c:\windows\system32\TDSShrxr.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSSkkbi.log" Deletion of file "c:\windows\system32\TDSSkkbi.log" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSSlrvd.dat" Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSSlxwp.dll" Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSSnmxh.log" Deletion of file "c:\windows\system32\TDSSnmxh.log" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSSoiqt.dll" Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSSrhyp.log" Deletion of file "c:\windows\system32\TDSSrhyp.log" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSSrtqp.dll" Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSSsihc.dll" Deletion of file "c:\windows\system32\TDSSsihc.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "c:\windows\system32\TDSSxfum.dll" Deletion of file "c:\windows\system32\TDSSxfum.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: could not open file "C:\WINDOWS\SYSTEM32\qoMfefde.dll" Deletion of file "C:\WINDOWS\SYSTEM32\qoMfefde.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found! Deletion of driver "tdssserv" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found! Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.
  8. Sorry. I think I did the wrong kind of reply. What I was trying to tell you was that I tried the URL you provided to download The Avenger. My infected computer would not take me there with either Firefox or Internet Explorer. Firefox says "Done" but the screen is blank. IE gave some kind of error screen. I am going to try to download the file on my good computer and transfer it via a memory stick. I'll let you know either way. Thanks, JD
  9. Hello, I had Spyware Guard 2008. I was able to remove it (and others) using Malwarebytes after running it from the command line under a different name. I am unable to run Spybot S&D. It installs but when I attempt to run it, the process shows up in Task manager but...no user interface ever appears. I am also unable to get to certain websites from IE or Firefox. I do NOT have the TDSServ driver listed in device manager but I'm fairly certain that there is some residual infection. Please help. Thanks, JD Here is my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:13:31 PM, on 12/28/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINNT\etlisrv.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\IDS\bin\IDSservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\PatchLink\Update Agent\GravitixService.exe C:\WINNT\system32\Ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINNT\System32\snmp.exe C:\Program Files\Timbuktu Pro\tb2launch.exe C:\WINNT\system32\CCM\CcmExec.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Timbuktu Pro\tb2logon.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\PatchLink\Update Agent\pddm.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\AtHocGov\AtHocGov.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\rundll32.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINNT\system32\userinit.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.nasa.gov O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190146034221 O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nasa.webex.com/client/T26L/webex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jsc.nasa.gov O17 - HKLM\Software\..\Telephony: DomainName = jsc.nasa.gov O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jsc.nasa.gov O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = jsc.nasa.gov O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = jsc.nasa.gov O20 - Winlogon Notify: IDSnetwork - C:\IDS\bin\IDSnetwork.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINNT\etlisrv.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: IDSservice - Unknown owner - C:\IDS\bin\IDSservice.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe -- End of file - 6804 bytes
  10. Hello. Per the guidance on other posts on this forum, I was able to get the persistent Spywareguard 2008 removed from my laptop. I am still having some trouble though. For one thing, I cannot get Malwarebytes or Spybot to run using their normal installations and my browsers are still being redirected away from anti-malware sites...like this one. The only way I was able to get Malwarebytes to run was to install it under a different name and run it using a renamed executable from the run command box. I can't seem to figure out a way to do that for Spybot because it's executable isn't as easy to identify as Malwarebytes. I can install Spybot 1.6.0 okay but when I try to run it, I get an hourglass mouse pointer and the program doesn't show up...but the process is running in task manager. If you have any further guidance on how I should proceed, it would be greatly appreciated. Things are much better, but I'm not out of the woods yet. Thanks, JD
  11. Hi. I have the same problem as MWare. I've been battling it for days and had the highest hopes once I found this thread. However during the step of installing '12setup' on the infected computer, the installation process hung...seemingly near the end waiting for installation to complete. I tried running the install.bat file anyway but that seemed to have no effect and any attempt to run the Malwarebytes program just results in an hourglass mouse pointer and...nothing. The processes showup in task manager but there is no user interface. Please help if you can. I would really like to get Spywareguard off of my PC. Thank you, JD
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.