Jump to content

3 Virus scan logs- Please review


Recommended Posts

Hello, I would appreciate it if someone could please review these logs from Malwarebytes, Panda scan, and Hijack this.

Thank you and Happy Holidays!

Malwarebytes Log

Malwarebytes' Anti-Malware 1.31

Database version: 1533

Windows 5.1.2600 Service Pack 2

12/24/2008 5:23:46 PM

mbam-log-2008-12-24 (17-23-46).txt

Scan type: Quick Scan

Objects scanned: 47973

Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Panda Scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-24 22:13:28

PROTECTIONS: 1

MALWARE: 22

SUSPECTS: 2

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Kaspersky Internet Security 6.0 6.0.2.621 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@casalemedia[1].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@atdmt[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@247realmedia[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@tribalfusion[2].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@mediaplex[2].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@com[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@ad.yieldmanager[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@advertising[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@realmedia[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@adrevolver[2].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@target[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@atwola[1].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Daniel Lee\Cookies\daniel lee@ads.addynamix[1].txt

00414142 Adware/VaccineSoftware2007 Adware No 0 Yes No C:\WINDOWS\system32\uninst_vcpr.exe

00528967 Trj/Agent.FHL Virus/Trojan No 0 Yes Yes C:\WINDOWS\melonsrv.dll

00528968 Trj/Agent.FHL Virus/Trojan No 0 Yes Yes C:\WINDOWS\nvdualhd.exe

02081744 Generic Trojan Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\vupdatemain.exe

02215887 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\dlwl.exe

02238735 Trj/Downloader.MDW Virus/Trojan No 0 Yes No C:\WINDOWS\Help\bin\ctfmon.exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\nndelete.exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\wincap.exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\Ksetup\setup_keyword17.exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\bmdelete.exe

04213070 W32/AutoRun.DJ.worm Virus/Trojan No 1 Yes Yes C:\WINDOWS\system32\drivers\aeaudio.sys

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location }

;===============================================================================

================================================================================

=

===================

No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DIR4HA7\full[1].exe

No C:\WINDOWS\system32\vacprouninstaller.exe }

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description }

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Hijack This

Logfile of HijackThis v1.97.7

Scan saved at 10:19:21 PM, on 12/24/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

D:\My Documents\My Apps\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Web Anti-Virus statistics (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/down/NaverFile.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Link to post
Share on other sites

Hello Dan and welcome to MalwareBytes forums.

Let me gently state a suggestion about the Subject line, for your benefit and for others too.

Always...always... think of a on-target summary of your issue and put that ....instead of just using a generic "3 scan logs - please review"

and at least tell us some specifics as to what prior clues you had about malware being present.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member Danloman only. If you are a lurker, do NOT try this on your system!

If you are not Danloman and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

:arrow: Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

This system has BitTorrent DNA & it is set to aut-start at each startup of Windows. I suggest you remove {de-install} it as peer-to-peer file sharing poses security concerns. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

"File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

You got hold of a very old version of HijackThis. De-install it. Then et's get the most current.

Download the latest version of >>>> HijackThis Installer <<<<< from here

Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click HJTInstall.exe to start the installation.

When the Trend Micro HJT install box appears, click Install.

HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.

Next, using My Computer {Windows Explorer} locate the hijackthis.exe

do a Right-click on it, then choose Rename and Rename it to Findem.exe

Next,

start Findem {HijackThis}. Do a Scan and Save. Copy and paste that report in your next reply.

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :filesC:\WINDOWS\dlwl.exe
    :commands[EmptyTemp]


  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

Reply back with copy of

  • the OTMoveit3 log from above,
  • the HJT log from above,
  • C:\Combofix.txt
  • and, Tell me, How is your system now ?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Link to post
Share on other sites

Hello,

Sorry for the generic post name.

I believe i was infected with the TDSS virus and other trojans possibly.

As per your instructions, please see below logs:

OTmoveit3 Log

========== FILES ==========

File/Folder C:\WINDOWS\dlwl.exe not found.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\etilqs_PESNAzYaTfbweBUtgCaN scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\~DFD99.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

Java cache emptied.

File delete failed. C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\XUL.mfl scheduled to be deleted on reboot.

FireFox cache emptied.

Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12262008_201612

Files moved on Reboot...

File C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\etilqs_PESNAzYaTfbweBUtgCaN not found!

File C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\~DFD99.tmp not found!

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat not found!

C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\Cache\_CACHE_001_ moved successfully.

C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\Cache\_CACHE_002_ moved successfully.

C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\Cache\_CACHE_003_ moved successfully.

C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\Cache\_CACHE_MAP_ moved successfully.

C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\urlclassifier3.sqlite moved successfully.

C:\Documents and Settings\Daniel Lee\Local Settings\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\XUL.mfl moved successfully.

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:12:04 PM, on 12/26/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\Findem.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {9CDD57AC-CA86-464C-B920-3228A388CC78} (NaverFileControl Control) - http://file.naver.com/down/NaverFile.cab

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: PCI lagacy (PCIlagacy) - Unknown owner - C:\WINDOWS\nerochk.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 6001 bytes

Combofix Log

ComboFix 08-12-26.03 - Daniel Lee 2008-12-26 20:27:35.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.685 [GMT -5:00]

Running from: c:\documents and settings\Daniel Lee\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)

FW: Kaspersky Internet Security *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

c:\windows\system32\klogon.dll

c:\windows\system32\TDSSosvd.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))

.

2008-12-26 20:14 . 2008-12-26 20:14 <DIR> d-------- C:\_OTMoveIt

2008-12-26 20:10 . 2008-12-26 20:10 <DIR> d-------- c:\program files\Trend Micro

2008-12-23 19:05 . 2008-12-23 19:05 <DIR> d-------- c:\program files\Panda Security

2008-12-23 19:05 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-22 20:18 . 2008-12-23 19:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-22 20:18 . 2008-12-22 20:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-22 18:58 . 2008-12-22 18:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-22 18:58 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-22 18:58 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-22 18:57 . 2008-12-22 18:57 <DIR> d-------- c:\documents and settings\Daniel Lee\Application Data\Malwarebytes

2008-12-22 18:43 . 2008-12-22 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-27 01:31 32,454,944 --sha-w c:\windows\system32\drivers\fidbox.dat

2008-12-27 01:31 1,383,200 --sha-w c:\windows\system32\drivers\fidbox2.dat

2008-12-27 01:31 --------- d-----w c:\program files\DNA

2008-12-27 01:31 --------- d-----w c:\documents and settings\Daniel Lee\Application Data\DNA

2008-12-27 01:30 438,848 --sha-w c:\windows\system32\drivers\fidbox.idx

2008-12-27 01:30 131,744 --sha-w c:\windows\system32\drivers\fidbox2.idx

2008-12-26 04:21 --------- d-----w c:\documents and settings\Daniel Lee\Application Data\LimeWire

2008-12-26 03:51 --------- d-----w c:\documents and settings\Daniel Lee\Application Data\BitTorrent

2008-12-22 03:14 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2008-12-22 03:06 79,872 ----a-w c:\windows\system32\drivers\mspzcshmiri.sys

2008-10-19 20:36 3,532 ----a-w C:\drmHeader.bin

2008-10-04 18:27 0 ----a-w c:\documents and settings\Daniel Lee\jagex_runescape_preferences.dat

2007-10-29 00:22 722,176 ----a-w c:\documents and settings\Daniel Lee\gotomypc_428.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-12-31 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-12-31 455168]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-12-31 59392]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2002-12-31 208952]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe [2007-09-22 13357056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2007-11-15 10:10 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ueu1atlaege.sys]

@="\??\c:\windows\system32\drivers\ueu1atlaege.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a------ 2004-07-27 13:48 1388544 c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\skcbgm.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\WINDOWS\\system32\\pdrtvsvr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Documents and Settings\\Daniel Lee\\My Documents\\BitTorrent Downloads\\BitTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"52000:TCP"= 52000:TCP:Monkey3

"52000:UDP"= 52000:UDP:Monkey3

"5435:TCP"= 5435:TCP:Monkey3

"5435:UDP"= 5435:UDP:Monkey3

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-23 28544]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-11 24652]

R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2007-09-22 54432]

S2 PCIlagacy;PCI lagacy;c:\windows\nerochk.exe []

S2 ueu1atlaege.sys;ueu1atlaege.sys;\??\c:\windows\system32\drivers\ueu1atlaege.sys []

.

Contents of the 'Scheduled Tasks' folder

2008-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2007-11-29 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1188183473.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]

.

- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)

MSConfigStartUp-alzip - c:\program files\ESTsoft\ALZip\Banner\alzip.exe

MSConfigStartUp-aqmrhc - c:\windows\system32\LogFiles\go.exe

MSConfigStartUp-asro - c:\windows\asrotray.exe

MSConfigStartUp-DoctorCode - c:\program files\DoctorCode\DoctorCode.exe

MSConfigStartUp-DoctorV - c:\program files\DoctorVaccineZ\DoctorV.exe

MSConfigStartUp-ezcatch - c:\program files\ezcatch\ezcatch_starter.exe

MSConfigStartUp-Nano Pop - c:\program files\Nano-AD\nnpop.exe

MSConfigStartUp-Nano-AD - c:\program files\Nano-AD\nanoad.exe

MSConfigStartUp-ntqmtg - c:\windows\system32\ReinstallBackups\0000\DriverFiles\sol.exe

MSConfigStartUp-pbggja - c:\windows\PeerNet\ka.exe

MSConfigStartUp-pcmedic - c:\program files\pcmedic\pcmedic.exe

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

MSConfigStartUp-vmnat - c:\windows\AppPatch\vmnat.exe

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

c:\windows\system32\NaverBroker.exe - c:\windows\system32\NaverFDL.exe

c:\windows\system32\NaverFile.ocx

O16 -: {9CDD57AC-CA86-464C-B920-3228A388CC78}

hxxp://file.naver.com/down/NaverFile.cab

c:\windows\Downloaded Program Files\NaverFile.inf

FF - ProfilePath - c:\documents and settings\Daniel Lee\Application Data\Mozilla\Firefox\Profiles\zz4irtcs.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-26 20:31:31

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\ati2evxx.exe

c:\program files\D-Link\D-Link RangeBooster N DWA-542\acs.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

**************************************************************************

.

Completion time: 2008-12-26 20:33:41 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-27 01:33:38

Pre-Run: 101,404,143,616 bytes free

Post-Run: 101,276,667,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

202 --- E O F --- 2008-12-21 07:47:33

My system seems to be running fine.

The internet is running fine. I am able to view antivirus sites.

After i ran the malwarebytes, spybot, and pandascan, the only problem that i had was with my audio.

I reinstalled my Soundmax drivers and it is working fine now. Though after i turn off my computer, i get an "end program smax4pnp" and then a "not responding prompt".

After doing some research, the drivers I downloaded from the internet may be a virus or the drivers may just be buggy. ( Any safe sites to download soundmax drivers?)

I was advised to "SMax4PNP was keeping my computer from shutting down. I went to start/run/type in msconfig/OK/ then go to the startup tab and uncheck it."

Other then that everything seems to be fine.

Appreciate your help.

Link to post
Share on other sites

Not all the files listed below will be found, so do not be unduly concerned. I want to doublecheck that TDSS is all gone, plus one other driver.

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:C:\WINDOWS\system32\drivers\TDSSmqlt.sys C:\windows\system32\drivers\tdssserv.sysC:\WINDOWS\system32\drivers\TDSSmact.sysC:\WINDOWS\system32\TDSSfpmp.dllC:\WINDOWS\system32\TDSSwpyd.dat C:\WINDOWS\system32\TDSStkdv.log  C:\WINDOWS\system32\TDSSotxb.dll C:\WINDOWS\system32\TDSScrrn.dll C:\WINDOWS\system32\TDSSbvqh.dll C:\WINDOWS\system32\TDSSjnmx.dllc:\windows\system32\TDSShrxr.dllc:\windows\system32\TDSSkkbi.logc:\windows\system32\TDSSlrvd.datc:\windows\system32\TDSSlxwp.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSoiqt.dllc:\windows\system32\TDSSrhyp.logc:\windows\system32\TDSSrtqp.dllc:\windows\system32\TDSSsihc.dllc:\windows\system32\TDSSxfum.dllc:\windows\system32\ueu1atlaege.sysC:\resycledD:\resycledE:\resycledF:\resycled
    Drivers to delete:tdssservTDSSserv.sysService_TDSSserv.sysueu1atlaege.sysueu1atlaege
    Registry keys to delete:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ueu1atlaege.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssservHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssservHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata HKEY_LOCAL_MACHINE\SOFTWARE\tdss HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.

If you see any other Java versions there,

such as

J2SE Runtime Environment 5.0

Java SE Runtime Environment

Java 6

uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.

  • Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp

> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 11

> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control

> Accept the license agreement

> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

  • Tip: Choose Custom install to select only the part(s) you need/want.

Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.javatester.org/version.html

When all is well, you should see Java Version: 1.6.0_11 from Sun Microsystems Inc.

=

Using Internet Explorer browser only, go to ESET Online Scanner website:

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

Reply with copies of C:\Avenger.txt,

and Eset scan log, and

tell us, How is your system now ?

You must be sure to get your sound card driver from your souncard manufacturer.

Link to post
Share on other sites

Hello,

Please see below logs:

Avenger Log

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!

Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!

Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!

Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSShrxr.dll" not found!

Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSkkbi.log" not found!

Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlrvd.dat" not found!

Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlxwp.dll" not found!

Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnmxh.log" not found!

Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSoiqt.dll" not found!

Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrhyp.log" not found!

Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrtqp.dll" not found!

Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSsihc.dll" not found!

Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSxfum.dll" not found!

Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\ueu1atlaege.sys" not found!

Deletion of file "c:\windows\system32\ueu1atlaege.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\resycled" not found!

Deletion of file "C:\resycled" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "D:\resycled" not found!

Deletion of file "D:\resycled" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "E:\resycled"

Deletion of file "E:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "F:\resycled"

Deletion of file "F:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!

Deletion of driver "tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.sys" not found!

Deletion of driver "TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSserv.sys" not found!

Deletion of driver "Service_TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "ueu1atlaege.sys" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ueu1atlaege" not found!

Deletion of driver "ueu1atlaege" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ueu1atlaege.sys" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

ESET scan log

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=3719 (20081227)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.064 (20070717)

# EOSSerial=862c814075008b46b21982ab862e0662

# end=finished

# remove_checked=true

# unwanted_checked=false

# utc_time=2008-12-28 09:28:11

# local_time=2008-12-28 04:28:11 (-0500, Eastern Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 2

# scanned=342864

# found=5

# scan_time=2820

C:\Program Files\MSN Messenger\Device Manager\Loc\3099\Setup_MN17.exe probably a variant of Win32/Adware.Agent application (unable to clean - deleted) 00000000000000000000000000000000

C:\WINDOWS\Help\bin\ctfmon.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\WINDOWS\Ksetup\setup_keyword17.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4DIR4HA7\full[1].exe a variant of Win32/Kryptik.DL trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\_OTMoveIt\MovedFiles\12262008_201409\WINDOWS\dlwl.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000

I cannot run Msconfig for some reason to fix the soundcard problem.

Other then that, my computer is running fine.

Link to post
Share on other sites

Hello Daniel,

Running Fixpolicies utility should restore the ability to use MSConfig.

You need to be using Device Manager to check on the driver issue. So please be careful.

You may reset your Windows Explorer View folder options back to where they had been before.

You should use Control Panel > Add-or-Remove Programs, and remove (un-install) the entries for

Panda ActiveScan

Eset Online Scan

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:

http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, (either Combofix or Combo-fix), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the command box that opens, type or copy/paste combofix /u and then click OK.
    CFuninstall.png
  • You already have OTMoveIt3 by OldTimer
  • Please double-click OTMoveIt3.exe to run it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.