Malware Problem

[Nolan36]

Hello,

Iv'e currently had alot of problems with malware and think I've gotten rid of most of them. It's just that one thing keeps creating itself after I delete it with Malwarebytes. It's called Rootkit.TDSS, tdlcmd.dll and it keeps appearing after every scan. It redirects my search engine results and Iv'e found my windows firewall magically disabled. I'd appreciate any help I can get cleaning my PC. Thanks in advance, here are the logs:

Malwarebytes' Anti-Malware 1.41

Database version: 3255

Windows 5.1.2600 Service Pack 3

11/29/2009 8:26:56 AM

mbam-log-2009-11-29 (08-26-56).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 388847

Time elapsed: 1 hour(s), 5 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 48

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP180\A0038883.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP180\A0038913.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP180\A0038956.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP180\A0039005.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP180\A0038963.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP180\A0038920.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP181\A0039046.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP181\A0039059.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP181\A0039067.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP181\A0039075.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP181\A0039102.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP182\A0039144.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP182\A0039106.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP182\A0039117.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP182\A0039175.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP182\A0039190.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP183\A0039194.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP183\A0039202.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP183\A0039214.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP183\A0039223.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP184\A0039379.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP184\A0039396.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP184\A0039405.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP186\A0039519.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP186\A0039542.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP186\A0039555.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP186\A0039574.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP187\A0039631.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP187\A0039642.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP187\A0039669.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP187\A0039687.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP188\A0039720.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP188\A0039709.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP188\A0039732.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP189\A0039772.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP189\A0039791.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP190\A0039833.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP190\A0039815.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP190\A0039850.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP190\A0039864.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP190\A0039885.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP191\A0039897.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP191\A0039911.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP191\A0039928.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP191\A0039966.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP192\A0040244.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9403B741-CDD5-4644-BE96-C6DB713B963B}\RP192\A0040256.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS.0\system32\tdlcmd.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

DDS (Ver_09-11-29.01) - NTFSx86

Run by Bj

[Nolan36]

Problem getting worse, when I click on a search result on google it re-directs me to something else that disables my windows firewall and downloads even more maleware.

[Nolan36]

A quick status update, since it has been 48 hours. Problem still there, tdlcmd.dll keeps returning after every mbam scan and removal. Windows firewall keeps getting stoped; when I click on it via control panal a message pops up:

"Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service? Yes No".

Oh and I have the "attach.txt" log if needed. Would really appreciate some help with this .

[Nolan36]

Still need help. I'm leaving for vacation on the 17th, hope to get it fixed by then.

[Maurice Naggar]

Hello Nolan36.

Do let me know if you have recently done a Windows repair install? as your Windows folder indicates that.

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not Nolan36 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Please start with the following:

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Next,

Download this >> file << & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller:

----

Start NOTEPAD and copy/paste the text in the quotebox below into it:

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this:

Double click on fix.bat & allow it to run.

Step 4

Next Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Close all open windows on the Task Bar.
  
• Please double-click OTL.exe to run it.
  
• In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  
• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  
• It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  
• Exit OTL by clicking the X at top right.
  

Step 5

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
  

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Step 6

Then copy/paste the following into your post (in order):

• the contents of Logit.txt
  
• OTL.txt
  
• Extras.txt
  
• checkup.txt
  

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[Nolan36]

Hey, thanks for your reply. A windows repair install? I had to re-install windows a few months ago because it wasn't working anymore if you mean that. Anyways, here are the logs:

Host Name: BJORN-CA4D4CD76

OS Name: Microsoft Windows XP Professional

OS Version: 5.1.2600 Service Pack 3 Build 2600

OS Manufacturer: Microsoft Corporation

OS Configuration: Standalone Workstation

OS Build Type: Multiprocessor Free

Registered Owner: Bjorn's Computer

Registered Organization:

Product ID: 76487-OEM-0011903-00228

Original Install Date: 4/25/2009, 6:18:16 AM

System Up Time: 0 Days, 3 Hours, 3 Minutes, 27 Seconds

System Manufacturer: alienware

System Model: alienware

System type: X86-based PC

Processor(s): 1 Processor(s) Installed.

[01]: x86 Family 15 Model 35 Stepping 2 AuthenticAMD ~2211 Mhz

BIOS Version: Nvidia - 42302e31

Windows Directory: C:\WINDOWS.0

System Directory: C:\WINDOWS.0\system32

Boot Device: \Device\HarddiskVolume1

System Locale: en-us;English (United States)

Input Locale: en-us;English (United States)

Time Zone: (GMT-05:00) Eastern Time (US & Canada)

Total Physical Memory: 2,047 MB

Available Physical Memory: 1,548 MB

Virtual Memory: Max Size: 2,048 MB

Virtual Memory: Available: 2,000 MB

Virtual Memory: In Use: 48 MB

Page File Location(s): C:\pagefile.sys

Domain: WORKGROUP

Logon Server: \\BJORN-CA4D4CD76

Hotfix(s): 168 Hotfix(s) Installed.

[01]: File 1

[02]: File 1

[03]: File 1

[04]: File 1

[05]: File 1

[06]: File 1

[07]: File 1

[08]: File 1

[09]: File 1

[10]: File 1

[11]: File 1

[12]: File 1

[13]: File 1

[14]: File 1

[15]: File 1

[16]: File 1

[17]: File 1

[18]: File 1

[19]: File 1

[20]: File 1

[21]: File 1

[22]: File 1

[23]: File 1

[24]: File 1

[25]: File 1

[26]: File 1

[27]: File 1

[28]: File 1

[29]: File 1

[30]: File 1

[31]: File 1

[32]: File 1

[33]: File 1

[34]: File 1

[35]: File 1

[36]: File 1

[37]: File 1

[38]: File 1

[39]: File 1

[40]: File 1

[41]: File 1

[42]: File 1

[43]: File 1

[44]: File 1

[45]: File 1

[46]: File 1

[47]: File 1

[48]: File 1

[49]: File 1

[50]: File 1

[51]: File 1

[52]: File 1

[53]: File 1

[54]: File 1

[55]: File 1

[56]: File 1

[57]: File 1

[58]: File 1

[59]: File 1

[60]: File 1

[61]: File 1

[62]: File 1

[63]: File 1

[64]: File 1

[65]: File 1

[66]: File 1

[67]: File 1

[68]: File 1

[69]: File 1

[70]: File 1

[71]: File 1

[72]: File 1

[73]: File 1

[74]: File 1

[75]: File 1

[76]: File 1

[77]: Q147222

[78]: KB929399

[79]: KB952069_WM9

[80]: KB954155_WM9

[81]: KB968816_WM9

[82]: KB973540_WM9

[83]: KB936782_WMP10

[84]: KB936782_WMP11

[85]: KB939683

[86]: KB954154_WM11

[87]: KB959772_WM11

[88]: KB923689

[89]: KB941569

[90]: KB968220-IE8 - Update

[91]: KB969897-IE8 - Update

[92]: KB971961-IE8 - Update

[93]: KB972260-IE8 - Update

[94]: KB974455-IE8 - Update

[95]: KB976325-IE8 - Update

[96]: KB976749-IE8 - Update

[97]: MSCompPackV1 - Update

[98]: KB936929 - Service Pack

[99]: KB923561 - Update

[100]: KB938464-v2 - Update

[101]: KB938759 - Update

[102]: KB946648 - Update

[103]: KB950760 - Update

[104]: KB950762 - Update

[105]: KB950974 - Update

[106]: KB951066 - Update

[107]: KB951376-v2 - Update

[108]: KB951748 - Update

[109]: KB951978 - Update

[110]: KB952004 - Update

[111]: KB952287 - Update

[112]: KB952954 - Update

[113]: KB954459 - Update

[114]: KB954550-v5 - Update

[115]: KB954600 - Update

[116]: KB955069 - Update

[117]: KB955839 - Update

[118]: KB956572 - Update

[119]: KB956744 - Update

[120]: KB956802 - Update

[121]: KB956803 - Update

[122]: KB956844 - Update

[123]: KB957097 - Update

[124]: KB958644 - Update

[125]: KB958687 - Update

[126]: KB958690 - Update

[127]: KB958869 - Update

[128]: KB959426 - Update

[129]: KB960225 - Update

[130]: KB960715 - Update

[131]: KB960803 - Update

[132]: KB960859 - Update

[133]: KB961118 - Update

[134]: KB961371 - Update

[135]: KB961373 - Update

[136]: KB961501 - Update

[137]: KB961503 - Update

[138]: KB963027 - Update

[139]: KB967715 - Update

[140]: KB968389 - Update

[141]: KB968537 - Update

[142]: KB969059 - Update

[143]: KB969898 - Update

[144]: KB969947 - Update

[145]: KB970238 - Update

[146]: KB970430 - Update

[147]: KB970653-v3 - Update

[148]: KB971486 - Update

[149]: KB971557 - Update

[150]: KB971633 - Update

[151]: KB971657 - Update

[152]: KB971737 - Update

[153]: KB973346 - Update

[154]: KB973354 - Update

[155]: KB973507 - Update

[156]: KB973525 - Update

[157]: KB973687 - Update

[158]: KB973815 - Update

[159]: KB973869 - Update

[160]: KB973904 - Update

[161]: KB974112 - Update

[162]: KB974318 - Update

[163]: KB974392 - Update

[164]: KB974571 - Update

[165]: KB975025 - Update

[166]: KB975467 - Update

[167]: KB976098-v2 - Update

[168]: XpsEPSC

NetWork Card(s): 4 NIC(s) Installed.

[01]: NVIDIA nForce Networking Controller

Connection Name: Local Area Connection 2

Status: Media disconnected

[02]: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller

Connection Name: Local Area Connection

DHCP Enabled: Yes

DHCP Server: 192.168.2.1

IP address(es)

[01]: 192.168.2.100

[03]: 1394 Net Adapter

Connection Name: 1394 Connection

DHCP Enabled: Yes

DHCP Server: N/A

IP address(es)

[04]: Cisco Systems VPN Adapter

Connection Name: Local Area Connection 3

14:46:19:765 2488 ForceUnloadDriver: NtUnloadDriver error 2

14:46:19:765 2488 ForceUnloadDriver: NtUnloadDriver error 2

14:46:19:765 2488 ForceUnloadDriver: NtUnloadDriver error 2

14:46:19:765 2488 main: Driver KLMD successfully dropped

14:46:19:781 2488 main: Driver KLMD successfully loaded

14:46:19:781 2488

Scanning Registry ...

14:46:19:796 2488 ScanServices: Searching service UACd.sys

14:46:19:796 2488 ScanServices: Open/Create key error 2

14:46:19:796 2488 ScanServices: Searching service TDSSserv.sys

14:46:19:796 2488 ScanServices: Open/Create key error 2

14:46:19:796 2488 ScanServices: Searching service gaopdxserv.sys

14:46:19:796 2488 ScanServices: Open/Create key error 2

14:46:19:796 2488 ScanServices: Searching service gxvxcserv.sys

14:46:19:796 2488 ScanServices: Open/Create key error 2

14:46:19:796 2488 ScanServices: Searching service MSIVXserv.sys

14:46:19:796 2488 ScanServices: Open/Create key error 2

14:46:19:796 2488 UnhookRegistry: Kernel module file name: C:\windows.0\system32\ntkrnlpa.exe, base addr: 804D7000

14:46:19:796 2488 UnhookRegistry: Kernel local addr: 12C0000

14:46:19:812 2488 UnhookRegistry: KeServiceDescriptorTable addr: 1345700

14:46:19:890 2488 UnhookRegistry: KiServiceTable addr: 12ED460

14:46:19:890 2488 UnhookRegistry: NtEnumerateKey service number (local): 47

14:46:19:890 2488 UnhookRegistry: NtEnumerateKey local addr: 140CFF2

14:46:19:906 2488 KLMD_OpenDevice: Trying to open KLMD device

14:46:19:906 2488 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey

14:46:19:906 2488 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey

14:46:19:906 2488 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]

14:46:19:906 2488 UnhookRegistry: NtEnumerateKey service number (kernel): 47

14:46:19:906 2488 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]

14:46:19:906 2488 UnhookRegistry: NtEnumerateKey real addr: 80623FF2

14:46:19:906 2488 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2

14:46:19:906 2488 UnhookRegistry: No SDT hooks found on NtEnumerateKey

14:46:19:906 2488 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]

14:46:19:906 2488 UnhookRegistry: No splicing found on NtEnumerateKey

14:46:19:906 2488

Scanning Kernel memory ...

14:46:19:906 2488 KLMD_OpenDevice: Trying to open KLMD device

14:46:19:906 2488 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk

14:46:19:906 2488 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

14:46:19:906 2488 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A845AA8

14:46:19:906 2488 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects

14:46:19:906 2488 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8A7DAC68

14:46:19:906 2488 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7DAC68

14:46:19:906 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A7DAC68[0x38]

14:46:19:906 2488 DetectCureTDL3: DRIVER_OBJECT addr: 8A845AA8

14:46:19:906 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A845AA8[0xA8]

14:46:19:906 2488 KLMD_ReadMem: Trying to ReadMemory 0xE10353F0[0x208]

14:46:19:906 2488 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

14:46:19:906 2488 DetectCureTDL3: IrpHandler (0) addr: B810EBB0

14:46:19:906 2488 DetectCureTDL3: IrpHandler (1) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (2) addr: B810EBB0

14:46:19:906 2488 DetectCureTDL3: IrpHandler (3) addr: B8108D1F

14:46:19:906 2488 DetectCureTDL3: IrpHandler (4) addr: B8108D1F

14:46:19:906 2488 DetectCureTDL3: IrpHandler (5) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (6) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (7) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (8) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (9) addr: B81092E2

14:46:19:906 2488 DetectCureTDL3: IrpHandler (10) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (11) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (12) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (13) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (14) addr: B81093BB

14:46:19:906 2488 DetectCureTDL3: IrpHandler (15) addr: B810CF28

14:46:19:906 2488 DetectCureTDL3: IrpHandler (16) addr: B81092E2

14:46:19:906 2488 DetectCureTDL3: IrpHandler (17) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (18) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (19) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (20) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (21) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (22) addr: B810AC82

14:46:19:906 2488 DetectCureTDL3: IrpHandler (23) addr: B810F99E

14:46:19:906 2488 DetectCureTDL3: IrpHandler (24) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (25) addr: 804F4562

14:46:19:906 2488 DetectCureTDL3: IrpHandler (26) addr: 804F4562

14:46:19:906 2488 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

14:46:19:906 2488 KLMD_ReadMem: DeviceIoControl error 1

14:46:19:906 2488 TDL3_StartIoHookDetect: Unable to get StartIo handler code

14:46:19:906 2488 TDL3_FileDetect: Processing driver: Disk

14:46:19:906 2488 TDL3_FileDetect: Parameters: C:\WINDOWS.0\system32\drivers\disk.sys, C:\WINDOWS.0\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

14:46:19:906 2488 TDL3_FileDetect: Processing driver file: C:\WINDOWS.0\system32\drivers\disk.sys

14:46:19:906 2488 KLMD_CreateFileW: Trying to open file C:\WINDOWS.0\system32\drivers\disk.sys

14:46:19:921 2488 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A858030

14:46:19:921 2488 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A858030

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A858030[0x38]

14:46:19:921 2488 DetectCureTDL3: DRIVER_OBJECT addr: 8A845AA8

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A845AA8[0xA8]

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0xE10353F0[0x208]

14:46:19:921 2488 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

14:46:19:921 2488 DetectCureTDL3: IrpHandler (0) addr: B810EBB0

14:46:19:921 2488 DetectCureTDL3: IrpHandler (1) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (2) addr: B810EBB0

14:46:19:921 2488 DetectCureTDL3: IrpHandler (3) addr: B8108D1F

14:46:19:921 2488 DetectCureTDL3: IrpHandler (4) addr: B8108D1F

14:46:19:921 2488 DetectCureTDL3: IrpHandler (5) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (6) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (7) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (8) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (9) addr: B81092E2

14:46:19:921 2488 DetectCureTDL3: IrpHandler (10) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (11) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (12) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (13) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (14) addr: B81093BB

14:46:19:921 2488 DetectCureTDL3: IrpHandler (15) addr: B810CF28

14:46:19:921 2488 DetectCureTDL3: IrpHandler (16) addr: B81092E2

14:46:19:921 2488 DetectCureTDL3: IrpHandler (17) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (18) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (19) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (20) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (21) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (22) addr: B810AC82

14:46:19:921 2488 DetectCureTDL3: IrpHandler (23) addr: B810F99E

14:46:19:921 2488 DetectCureTDL3: IrpHandler (24) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (25) addr: 804F4562

14:46:19:921 2488 DetectCureTDL3: IrpHandler (26) addr: 804F4562

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

14:46:19:921 2488 KLMD_ReadMem: DeviceIoControl error 1

14:46:19:921 2488 TDL3_StartIoHookDetect: Unable to get StartIo handler code

14:46:19:921 2488 TDL3_FileDetect: Processing driver: Disk

14:46:19:921 2488 TDL3_FileDetect: Parameters: C:\WINDOWS.0\system32\drivers\disk.sys, C:\WINDOWS.0\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys

14:46:19:921 2488 TDL3_FileDetect: Processing driver file: C:\WINDOWS.0\system32\drivers\disk.sys

14:46:19:921 2488 KLMD_CreateFileW: Trying to open file C:\WINDOWS.0\system32\drivers\disk.sys

14:46:19:921 2488 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A7E3AB8

14:46:19:921 2488 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7E3AB8

14:46:19:921 2488 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A812BC8

14:46:19:921 2488 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A812BC8

14:46:19:921 2488 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A85A030

14:46:19:921 2488 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A85A030

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A85A030[0x38]

14:46:19:921 2488 DetectCureTDL3: DRIVER_OBJECT addr: 8A7E5900

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A7E5900[0xA8]

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0xE1022060[0x208]

14:46:19:921 2488 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvata, Driver Name: nvata

14:46:19:921 2488 DetectCureTDL3: IrpHandler (0) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (1) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (2) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (3) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (4) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (5) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (6) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (7) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (8) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (9) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (10) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (11) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (12) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (13) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (14) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (15) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (16) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (17) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (18) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (19) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (20) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (21) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (22) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (23) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (24) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (25) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: IrpHandler (26) addr: B7F1FCB4

14:46:19:921 2488 DetectCureTDL3: All IRP handlers pointed to one addr: B7F1FCB4

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0xB7F1FCB4[0x400]

14:46:19:921 2488 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A7E52CC[0x4]

14:46:19:921 2488 TDL3_IrpHookDetect: New IrpHandler addr: 8A803F61

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A803F61[0x400]

14:46:19:921 2488 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120

14:46:19:921 2488 Driver "nvata" Irp handler infected by TDSS rootkit ... 14:46:19:921 2488 KLMD_WriteMem: Trying to WriteMemory 0x8A803FE7[0xD]

14:46:19:921 2488 cured

14:46:19:921 2488 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

14:46:19:921 2488 KLMD_ReadMem: DeviceIoControl error 1

14:46:19:921 2488 TDL3_StartIoHookDetect: Unable to get StartIo handler code

14:46:19:921 2488 TDL3_FileDetect: Processing driver: nvata

14:46:19:921 2488 TDL3_FileDetect: Parameters: C:\WINDOWS.0\system32\drivers\nvata.sys, C:\WINDOWS.0\system32\Drivers\tsk_nvata.sys, SYSTEM\CurrentControlSet\Services\nvata, system32\Drivers\tsk_nvata.sys

14:46:19:921 2488 TDL3_FileDetect: Processing driver file: C:\WINDOWS.0\system32\drivers\nvata.sys

14:46:19:921 2488 KLMD_CreateFileW: Trying to open file C:\WINDOWS.0\system32\drivers\nvata.sys

14:46:19:937 2488 File C:\WINDOWS.0\system32\drivers\nvata.sys infected by TDSS rootkit ... 14:46:19:937 2488 TDL3_FileCure: Processing driver file: C:\WINDOWS.0\system32\drivers\nvata.sys

14:46:19:937 2488 KLMD_CreateFileW: Trying to open file C:\WINDOWS.0\system32\drivers\nvata.sys

14:46:19:937 2488 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS.0\system32\Drivers\tsk_nvata.sys

14:46:19:953 2488 TDL3_FileCure: Image path (system32\Drivers\tsk_nvata.sys) was set for service (SYSTEM\CurrentControlSet\Services\nvata)

14:46:19:953 2488 TDL3_FileCure: KLMD_PendCopyFileW (C:\WINDOWS.0\system32\Drivers\tsk_nvata.sys, C:\WINDOWS.0\system32\drivers\nvata.sys) success

14:46:19:953 2488 will be cured on next reboot

14:46:19:953 2488 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8A825AB8

14:46:19:953 2488 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A825AB8

14:46:19:953 2488 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8A846AC0

14:46:19:953 2488 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A846AC0

14:46:19:953 2488 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8A845030

14:46:19:953 2488 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A845030

14:46:19:953 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A845030[0x38]

14:46:19:953 2488 DetectCureTDL3: DRIVER_OBJECT addr: 8A7E5900

14:46:19:953 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A7E5900[0xA8]

14:46:19:953 2488 KLMD_ReadMem: Trying to ReadMemory 0xE1022060[0x208]

14:46:19:953 2488 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvata, Driver Name: nvata

14:46:19:953 2488 DetectCureTDL3: IrpHandler (0) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (1) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (2) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (3) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (4) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (5) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (6) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (7) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (8) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (9) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (10) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (11) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (12) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (13) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (14) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (15) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (16) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (17) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (18) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (19) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (20) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (21) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (22) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (23) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (24) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (25) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: IrpHandler (26) addr: B7F1FCB4

14:46:19:953 2488 DetectCureTDL3: All IRP handlers pointed to one addr: B7F1FCB4

14:46:19:953 2488 KLMD_ReadMem: Trying to ReadMemory 0xB7F1FCB4[0x400]

14:46:19:953 2488 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr

14:46:19:953 2488 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]

14:46:19:953 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A7E52CC[0x4]

14:46:19:953 2488 TDL3_IrpHookDetect: New IrpHandler addr: 8A803F61

14:46:19:953 2488 KLMD_ReadMem: Trying to ReadMemory 0x8A803F61[0x400]

14:46:19:953 2488 TDL3_IrpHookDetect: TDL3 is already cured

14:46:19:953 2488 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]

14:46:19:953 2488 KLMD_ReadMem: DeviceIoControl error 1

14:46:19:953 2488 TDL3_StartIoHookDetect: Unable to get StartIo handler code

14:46:19:953 2488 TDL3_FileDetect: Processing driver: nvata

14:46:19:953 2488 TDL3_FileDetect: Parameters: C:\WINDOWS.0\system32\drivers\tsk_nvata.sys, C:\WINDOWS.0\system32\Drivers\tsk_tsk_nvata.sys, SYSTEM\CurrentControlSet\Services\nvata, system32\Drivers\tsk_tsk_nvata.sys

14:46:19:953 2488 TDL3_FileDetect: Processing driver file: C:\WINDOWS.0\system32\drivers\tsk_nvata.sys

14:46:19:953 2488 KLMD_CreateFileW: Trying to open file C:\WINDOWS.0\system32\drivers\tsk_nvata.sys

14:46:19:953 2488

Completed

Results:

14:46:19:953 2488 Infected objects in memory: 1

14:46:19:953 2488 Cured objects in memory: 1

14:46:19:953 2488 Infected objects on disk: 1

14:46:19:953 2488 Objects on disk cured on reboot: 1

14:46:19:953 2488 Objects on disk deleted on reboot: 0

14:46:19:953 2488 Registry nodes deleted on reboot: 0

14:46:19:953 2488

OTL logfile created on: 12/9/2009 2:50:49 PM - Run 1

OTL by OldTimer - Version 3.1.12.0 Folder = C:\Documents and Settings\Bj

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not Nolan36 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to delete:
  C:\WINDOWS.0\System32\tdlcmd.dll

  
  

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• ! Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
  

Step 2

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

Step 3

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

• Trend Micro Damage Cleanup Engine
  
• Make sure you read this document to understand how to use the program.
  Trend Micro Sysclean Package README 1st
  
• Basically there are 3 parts that need to be downloaded and SAVED from these links:
  
  • Download Sysclean Package
    
  • Download Virus Pattern Files that will be a LPTxxx.ZIP file
    
  • Download Spyware Pattern Files this is a SSAPIPTNxxx.ZIP
    It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware) Ssapiptn.Da5"
    

• Create a brand new folder to copy these files to.
  
• As an example: C:\DCE
  
• Then open each of the zipped archive files and copy their contents to C:\DCE
  
• Copy the file sysclean.com to the new folder C:\DCE as well.
  
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
  

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Step 4

This system does not appear to have an Antivirus program. If so, and cost is an issue, get and setup Avira AntiVir

http://www.free-av.com It is free for personal, non-commercial use

RE-Enable your AntiVirus and AntiSpyware applications.

Step 5

Make a new (fresh) run of DDS

Always copy and paste the contents of your logs. Do NOT use the attach feature, please.

Reply with copies of contents of C:\Avenger.txt

C:\Combofix.txt

the Sysclean log

the latest DDS.txt

Attach.txt

[Nolan36]

Here are the logs:

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)

Wed Dec 09 17:58:55 2009

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\WINDOWS.0\System32\tdlcmd.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

ComboFix 09-12-09.04 - Bj

[Maurice Naggar]

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  

Next:

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 3337 and the latest version is 1.42.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of the latest MBAM scan log,

and tell me, How is your system now ?

[Nolan36]

Hey, everything is fine now, google links don't get re-directed anymore and my comp seems to run faster! Thank you sooo much, I really appreciate your help . Here is the log:

Malwarebytes' Anti-Malware 1.42

Database version: 3338

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/10/2009 10:19:18 AM

mbam-log-2009-12-10 (10-19-18).txt

Scan type: Quick Scan

Objects scanned: 151669

Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maurice Naggar]

Hello bj

[Nolan36]

Hey, sorry for the late reply. Here is the log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=28db0c9efd6345418ae233a54b1bba1e

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-14 11:02:20

# local_time=2009-12-14 06:02:20 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=223099

# found=3

# cleaned=3

# scan_time=2817

C:\WINDOWS.0\cmstnime.exe a variant of Win32/Kryptik.BHU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS.0\system32\blasuide.dll Win32/Agent.QLH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS.0\system32\hqilivclh.exe a variant of Win32/Kryptik.BCN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[Maurice Naggar]

3 trojans were found and removed by ESET scan. I suggest you do a scan at Kaspersky and let's see what those results are.

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.

How is your system now

[Nolan36]

Hey my system is better but it still seems to be infected. Whenever I start IE or Firefox my windows firewall turns off. But at least it shows the security bubble in the bottom right again (it didn't before). Now I have a little problem, tomarrow I will leave on vacation until January 8th, and I won't have access to this computer during that time . Can we resume with cleaning when I get back? I would highly appreciate it since my computer has gotten much better since we started and I'd love to have it 100% clean again . But either way, thanks alot for your help so far.

[Maurice Naggar]

Did your run the Kaspersky scan? I need to see the log from it, after you've completed that.

Yes, we can resume after you get back. Make sure no other user uses the system to surf the internet.

And I image you'll have it shutdown and powered off while on vacation anyway.

[Nolan36]

Hey, I'm finally back, happy new year! My computer was off the whole time since I'm the only one who uses it anyway. I ran the Kaspersky Log but accidentally saved it as a html. Hope that's no problem.

Here is the log:

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, January 9, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, January 09, 2010 13:08:35

Records in database: 3303033

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

A:\

C:\

D:\

E:\

F:\

Scan statistics

Objects scanned 222938

Threats found 1

Infected objects found 1

Suspicious objects found 0

Scan duration 07:22:30

File name Threat Threats count

C:\WINDOWS.0\Temp\6.tmp Infected: Trojan-Spy.Win32.Zbot.gen 1

Selected area has been scanned.

After it finished it said this on the run scan page:

Last start: 09.34.2010 09:01:140

Status: interrupted

so I'm not sure if it scanned the whole computer, but it didn't show any message on why the scan was interrupted.

I then ran a MBAM quick scan which came up with a few more results, here is the log:

Malwarebytes' Anti-Malware 1.44

Database version: 3531

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/9/2010 9:35:12 PM

mbam-log-2010-01-09 (21-35-12).txt

Scan type: Quick Scan

Objects scanned: 160226

Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows.0\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS.0\system32\userinit.exe,C:\WINDOWS.0\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS.0\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:

C:\WINDOWS.0\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

C:\WINDOWS.0\Temp\6.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.

C:\WINDOWS.0\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS.0\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

[Maurice Naggar]

Step 1

Let's make sure that temporary files/areas are flushed.

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• IF prompted to Reboot, reply "Yes".
  

Step 2

Get latest copy of Combofix and new run.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Delete the prior Combo-fix.exe {with red lion icon} on your Desktop !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on Combo-Fix.exe & follow the prompts.
  

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

Step 3

Please perform this online scan: F-Secure Online Scanner

The online scanner is on the bottom right of the page.

Follow the directions in the F-Secure page for proper Installation.

You may receive an alert on the address bar at this point to install the ActiveX control.

Click on that alert and then click "Install ActiveX component".

Read the license agreement and click "Accept".

Click "Custom Scan" and be sure the following are checked:

• Scan whole System
  
• Scan all files
  
• Scan whole system for rootkits
  
• Scan whole system for spyware
  
• Scan inside archives
  
• Use advanced heuristics
  

When the scan completes, click the "I want to decide item by item" button.

For each item found, Select "Disinfect" and click "Next".

When done, click the "Show Report" button, then copy and paste the entire report into your next reply

Step 3

RE-Enable your AntiVirus and AntiSpyware applications.

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
  

Step 4

Reply with copy of C:\Combofix.txt

the F-Secure scan report

Log.txt

Info.txt

and tell me, How is your system now ?

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!