Jump to content

Recommended Posts

Hello,

I had Spyware Guard 2008. I was able to remove it (and others) using Malwarebytes after running it from the command line under a different name. I am unable to run Spybot S&D. It installs but when I attempt to run it, the process shows up in Task manager but...no user interface ever appears. I am also unable to get to certain websites from IE or Firefox. I do NOT have the TDSServ driver listed in device manager but I'm fairly certain that there is some residual infection.

Please help.

Thanks,

JD

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:13:31 PM, on 12/28/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINNT\etlisrv.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\IDS\bin\IDSservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\PatchLink\Update Agent\GravitixService.exe

C:\WINNT\system32\Ati2evxx.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINNT\System32\snmp.exe

C:\Program Files\Timbuktu Pro\tb2launch.exe

C:\WINNT\system32\CCM\CcmExec.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Timbuktu Pro\tb2logon.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\PatchLink\Update Agent\pddm.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\AtHocGov\AtHocGov.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINNT\system32\userinit.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.nasa.gov

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190146034221

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nasa.webex.com/client/T26L/webex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jsc.nasa.gov

O17 - HKLM\Software\..\Telephony: DomainName = jsc.nasa.gov

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jsc.nasa.gov

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = jsc.nasa.gov

O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = jsc.nasa.gov

O20 - Winlogon Notify: IDSnetwork - C:\IDS\bin\IDSnetwork.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINNT\etlisrv.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: IDSservice - Unknown owner - C:\IDS\bin\IDSservice.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe

--

End of file - 6804 bytes

Link to post
Share on other sites

Let's take a look real quick and make sure TDSS is gone. :)

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:C:\WINDOWS\system32\drivers\TDSSmqlt.sys C:\windows\system32\drivers\tdssserv.sysC:\WINDOWS\system32\drivers\TDSSmact.sysC:\WINDOWS\system32\drivers\TDSSrvdc.sys C:\WINDOWS\system32\TDSSwpyd.dat C:\WINDOWS\system32\TDSStkdv.log  C:\WINDOWS\system32\TDSSotxb.dll C:\WINDOWS\system32\TDSScrrn.dll C:\WINDOWS\system32\TDSSbvqh.dll C:\WINDOWS\system32\TDSSjnmx.dllc:\windows\system32\TDSShrxr.dllc:\windows\system32\TDSSkkbi.logc:\windows\system32\TDSSlrvd.datc:\windows\system32\TDSSlxwp.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSoiqt.dllc:\windows\system32\TDSSrhyp.logc:\windows\system32\TDSSrtqp.dllc:\windows\system32\TDSSsihc.dllc:\windows\system32\TDSSxfum.dllC:\WINDOWS\SYSTEM32\qoMfefde.dll
    Drivers to delete:tdssserv
    Registry keys to delete:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssservHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssservHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata HKEY_LOCAL_MACHINE\SOFTWARE\tdss HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Link to post
Share on other sites

Let's take a look real quick and make sure TDSS is gone. :)

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.

  • Double click on avenger.exe to run The Avenger.

  • Click OK.

  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.

    Files to delete:

    C:\WINDOWS\system32\drivers\TDSSmqlt.sys

    C:\windows\system32\drivers\tdssserv.sys

    C:\WINDOWS\system32\drivers\TDSSmact.sys

    C:\WINDOWS\system32\drivers\TDSSrvdc.sys

    C:\WINDOWS\system32\TDSSwpyd.dat

    C:\WINDOWS\system32\TDSStkdv.log

    C:\WINDOWS\system32\TDSSotxb.dll

    C:\WINDOWS\system32\TDSScrrn.dll

    C:\WINDOWS\system32\TDSSbvqh.dll

    C:\WINDOWS\system32\TDSSjnmx.dll

    c:\windows\system32\TDSShrxr.dll

    c:\windows\system32\TDSSkkbi.log

    c:\windows\system32\TDSSlrvd.dat

    c:\windows\system32\TDSSlxwp.dll

    c:\windows\system32\TDSSnmxh.log

    c:\windows\system32\TDSSoiqt.dll

    c:\windows\system32\TDSSrhyp.log

    c:\windows\system32\TDSSrtqp.dll

    c:\windows\system32\TDSSsihc.dll

    c:\windows\system32\TDSSxfum.dll

    C:\WINDOWS\SYSTEM32\qoMfefde.dll

    Drivers to delete:

    tdssserv

    Registry keys to delete:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

    HKEY_LOCAL_MACHINE\SOFTWARE\tdss

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV

  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.

  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.

  • Click the Execute button.

  • You will be asked Are you sure you want to execute the current script?.

  • Click Yes.

  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.

  • Click Yes.

  • Your PC will now be rebooted.

  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.

  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.

  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Link to post
Share on other sites

Sorry. I think I did the wrong kind of reply. What I was trying to tell you was that I tried the URL you provided to download The Avenger. My infected computer would not take me there with either Firefox or Internet Explorer. Firefox says "Done" but the screen is blank. IE gave some kind of error screen. I am going to try to download the file on my good computer and transfer it via a memory stick. I'll let you know either way.

Thanks,

JD

Link to post
Share on other sites

Hey Tigger - I was able to get Avenger and run it on the infected PC. Here is the log it generated.

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!

ImagePath: \systemroot\system32\drivers\UACwbpjyeqr.sys

Start Type: 1 (System)

Rootkit scan completed.

Error: could not open file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys"

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\windows\system32\drivers\tdssserv.sys"

Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\drivers\TDSSmact.sys"

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys"

Deletion of file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\TDSSwpyd.dat"

Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\TDSStkdv.log"

Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\TDSSotxb.dll"

Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\TDSScrrn.dll"

Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\TDSSbvqh.dll"

Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\TDSSjnmx.dll"

Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSShrxr.dll"

Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSSkkbi.log"

Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSSlrvd.dat"

Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSSlxwp.dll"

Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSSnmxh.log"

Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSSoiqt.dll"

Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSSrhyp.log"

Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSSrtqp.dll"

Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSSsihc.dll"

Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "c:\windows\system32\TDSSxfum.dll"

Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\SYSTEM32\qoMfefde.dll"

Deletion of file "C:\WINDOWS\SYSTEM32\qoMfefde.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!

Deletion of driver "tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:C:\WINDOWS\system32\drivers\UACwbpjyeqr.sys


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Link to post
Share on other sites

Here's the new log. I don't have a "Windows" directory on my C drive. Maybe that's why it didn't find the file. When I look for the file under \WINNT\system32\drivers, I can't find it either. BTW - I did a find in regedit on "UAC" and found a couple of entries but not this same exact filename.

Thanks again for your help...from the traffic on the forum it looks like things are extremely busy right now. JD

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!

ImagePath: \systemroot\system32\drivers\UACwbpjyeqr.sys

Start Type: 1 (System)

Rootkit scan completed.

Error: could not open file "C:\WINDOWS\system32\drivers\UACwbpjyeqr.sys"

Deletion of file "C:\WINDOWS\system32\drivers\UACwbpjyeqr.sys" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Oops. :)

  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:C:\WINNT\system32\drivers\UACwbpjyeqr.sys


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Link to post
Share on other sites

Tigger - Looks like that worked. Even though I couldn't see the file...it appears that Avenger could. Let me know what we should do next.

Thanks,

JD

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!

ImagePath: \systemroot\system32\drivers\UACwbpjyeqr.sys

Start Type: 1 (System)

Rootkit scan completed.

File "C:\WINNT\system32\drivers\UACwbpjyeqr.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Tigger - here are the combofix and HJT logs. Notes of interest...on the infected computer, Firefox couldn't download combofix. It found the URL and file okay but the "save" button was disabled. Thanks - JD

ComboFix 08-12-31.01 - jadavis1 2009-01-01 19:50:28.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1432 [GMT -6:00]

Running from: d:\documents and settings\jadavis1\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\winnt\Downloaded Program Files\setup.inf

c:\winnt\IE4 Error Log.txt

c:\winnt\system32\hosopovo.dll

c:\winnt\system32\osakusov.ini

c:\winnt\system32\pWGhRXyb.ini

c:\winnt\system32\pWGhRXyb.ini2

c:\winnt\system32\UACdlvmktiq.dll

c:\winnt\system32\UACfubqtoep.dll

c:\winnt\system32\UAClxlujxjx.dll

c:\winnt\system32\UACmqltodww.dat

c:\winnt\system32\UACyyfxapto.dll

c:\winnt\system32\zahuzewi.dll

d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

d:\documents and settings\jadavis1\Local Settings\Temporary Internet Files\fbk.sts

----- BITS: Possible infected sites -----

hxxp://77.74.48.101

hxxp://JSC-SMSCAP09:8889

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))

.

2009-01-01 01:44 . 2009-01-01 01:44 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-12-29 19:46 . 2009-01-01 01:17 135,168 --a------ C:\zip.exe

2008-12-29 19:46 . 2009-01-01 01:17 19,286 --a------ C:\cleanup.exe

2008-12-29 19:46 . 2009-01-01 01:17 574 --a------ C:\cleanup.bat

2008-12-29 19:46 . 2008-12-29 19:46 0 --a------ C:\backup.reg

2008-12-29 04:23 . 2008-12-29 04:23 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2008-12-29 03:56 . 2008-12-29 04:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-27 21:21 . 2008-12-27 21:22 <DIR> d-------- c:\temp\Zonealarm

2008-12-27 00:56 . 2008-12-27 00:56 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\Malwarebytes

2008-12-27 00:42 . 2008-12-27 00:42 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-27 00:42 . 2008-12-03 19:54 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys

2008-12-27 00:42 . 2008-12-03 19:54 15,504 --a------ c:\winnt\system32\drivers\mbam.sys

2008-12-26 12:10 . 2008-12-26 12:10 2,713 ---hs---- c:\winnt\system32\ridogeku.exe

2008-12-26 09:21 . 2008-12-27 00:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-25 03:44 . 2009-01-01 19:54 2,206 --a------ c:\winnt\system32\wpa.dbl

2008-12-24 22:37 . 2008-12-27 01:06 1,744 --ah----- c:\winnt\system32\karesabi

2008-12-24 14:08 . 2008-12-24 14:14 <DIR> d-------- c:\temp\Chrome

2008-12-24 14:06 . 2008-12-29 03:53 <DIR> d-------- c:\temp\Spybot

2008-12-24 14:06 . 2008-12-24 14:07 <DIR> d-------- c:\temp\Malwarebytes

2008-12-24 06:33 . 2008-12-29 04:04 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-24 05:09 . 2008-12-24 05:08 102,664 --a------ c:\winnt\system32\drivers\tmcomm.sys

2008-12-24 05:08 . 2008-12-24 05:09 <DIR> d-------- d:\documents and settings\jadavis1\.housecall6.6

2008-12-23 06:02 . 2008-12-23 06:02 <DIR> d-------- c:\program files\Trend Micro

2008-12-23 06:01 . 2008-12-23 06:02 <DIR> d-------- c:\program files\Hijack This

2008-12-19 15:04 . 2008-12-19 15:04 <DIR> d-------- c:\program files\Microsoft Works

2008-12-18 12:54 . 2008-12-18 12:54 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\webex

2008-12-18 09:03 . 2001-08-17 13:48 12,160 --a------ c:\winnt\system32\drivers\mouhid.sys

2008-12-18 09:03 . 2001-08-17 13:48 12,160 --a--c--- c:\winnt\system32\dllcache\mouhid.sys

2008-12-18 09:03 . 2008-04-13 13:45 10,368 --a------ c:\winnt\system32\drivers\hidusb.sys

2008-12-18 09:03 . 2008-04-13 13:45 10,368 --a--c--- c:\winnt\system32\dllcache\hidusb.sys

2008-12-18 07:20 . 2008-09-08 04:41 333,824 -----c--- c:\winnt\system32\dllcache\srv.sys

2008-12-18 07:09 . 2008-09-04 11:15 1,106,944 -----c--- c:\winnt\system32\dllcache\msxml3.dll

2008-12-18 07:04 . 2008-09-15 06:12 1,846,400 -----c--- c:\winnt\system32\dllcache\win32k.sys

2008-12-18 07:00 . 2008-08-14 04:11 2,189,184 -----c--- c:\winnt\system32\dllcache\ntoskrnl.exe

2008-12-18 07:00 . 2008-08-14 04:09 2,145,280 -----c--- c:\winnt\system32\dllcache\ntkrnlmp.exe

2008-12-18 07:00 . 2008-08-14 03:33 2,066,048 -----c--- c:\winnt\system32\dllcache\ntkrnlpa.exe

2008-12-18 07:00 . 2008-08-14 03:33 2,023,936 -----c--- c:\winnt\system32\dllcache\ntkrpamp.exe

2008-12-18 06:55 . 2008-10-24 05:21 455,296 -----c--- c:\winnt\system32\dllcache\mrxsmb.sys

2008-12-18 06:52 . 2008-12-19 13:05 <DIR> d--h----- c:\winnt\$hf_mig$

2008-12-15 15:09 . 2008-12-15 15:09 <DIR> d-------- c:\winnt\ms

2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\Intel

2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\NetworkService\Application Data\Intel

2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\LocalService\Application Data\Intel

2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\Intel

2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\Intel

2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\All Users\Application Data\Intel

2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d-------- d:\documents and settings\Administrator\Application Data\Intel

2008-12-15 14:55 . 2008-12-15 14:55 <DIR> d----c--- c:\winnt\system32\DRVSTORE

2008-12-15 14:55 . 2008-12-15 14:55 21,361 --a------ c:\winnt\system32\drivers\AegisP.sys

2008-12-15 14:55 . 2008-12-15 14:55 21,361 --a------ c:\winnt\AegisP.sys

2008-12-15 14:55 . 2008-12-15 14:55 13,984 --a------ c:\winnt\AegisP.inf

2008-12-15 14:55 . 2008-12-15 14:55 10,640 --a------ c:\winnt\AegisP.cat

2008-12-15 14:54 . 2008-12-15 14:54 <DIR> d-------- c:\program files\Intel

2008-12-15 14:10 . 2009-01-01 19:39 <DIR> d-------- c:\winnt\system32\VPCache

2008-12-15 14:09 . 2008-12-15 14:09 <DIR> d-------- c:\program files\PatchLink

2008-12-15 14:08 . 2008-12-15 14:09 <DIR> d-------- d:\documents and settings\All Users\Application Data\AtHocGov

2008-12-15 14:08 . 2008-12-15 14:08 <DIR> d-------- c:\program files\AtHocGov

2008-12-15 14:02 . 2008-12-15 14:02 <DIR> d-------- d:\documents and settings\jadavis1\Entrust Profile

2008-12-15 13:58 . 2005-04-07 06:42 <DIR> d--hs---- d:\documents and settings\jadavis1\UserData

2008-12-15 13:58 . 2007-01-18 09:04 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\Talkback

2008-12-15 13:58 . 2007-02-14 08:49 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\OfficeUpdate12

2008-12-15 13:58 . 2008-06-16 13:23 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\Apple Computer

2008-12-15 13:58 . 2005-09-21 19:00 <DIR> d-------- d:\documents and settings\jadavis1\Application Data\AdobeUM

2008-12-15 13:58 . 2008-12-24 05:08 <DIR> d-------- d:\documents and settings\jadavis1

2008-12-15 13:42 . 2005-04-07 06:42 <DIR> d---s---- d:\documents and settings\dwadyka\UserData

2008-12-15 13:42 . 2007-01-18 09:04 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\Talkback

2008-12-15 13:42 . 2007-02-14 08:49 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\OfficeUpdate12

2008-12-15 13:42 . 2008-06-16 13:23 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\Apple Computer

2008-12-15 13:42 . 2005-09-21 19:00 <DIR> d-------- d:\documents and settings\dwadyka\Application Data\AdobeUM

2008-12-15 13:42 . 2008-12-15 13:42 <DIR> d-------- d:\documents and settings\dwadyka

2008-12-15 13:20 . 2008-12-15 13:20 <DIR> d-------- c:\winnt\SchCache

2008-12-15 13:19 . 2008-12-15 15:10 <DIR> d-------- c:\winnt\system32\ccmsetup

2008-12-15 13:19 . 2008-12-15 15:09 <DIR> d-------- c:\winnt\system32\CCM

2008-12-15 13:15 . 2008-12-15 13:15 <DIR> d-------- d:\documents and settings\tech-tbt\WINDOWS

2008-12-15 13:15 . 2008-12-15 13:15 <DIR> d-------- c:\program files\QPC

2008-12-15 13:15 . 2005-08-22 07:06 283,648 --a------ c:\winnt\uninst.exe

2008-12-15 13:15 . 1998-10-11 11:39 45,056 --a------ c:\winnt\system32\Smtp.dll

2008-12-15 13:15 . 1999-01-11 18:06 36,864 --a------ c:\winnt\system32\QvtNet.dll

2008-12-15 13:13 . 2004-08-31 12:29 419,328 --a------ c:\winnt\system32\UDPMulticast.exe

2008-12-15 13:13 . 2008-08-07 15:59 163,173 --a------ c:\winnt\system32\chkusr.EXE

2008-12-15 13:13 . 2003-11-26 14:32 40,960 --a------ c:\winnt\system32\dfrgusr.EXE

2008-12-15 13:13 . 2003-11-26 14:32 24,576 --a------ c:\winnt\system32\srvagnt.exe

2008-12-15 13:10 . 2008-12-15 13:12 <DIR> d-------- C:\IDS

2008-12-15 13:10 . 2008-10-22 15:40 51,262 --a------ c:\winnt\system32\srp.ico

2008-12-15 13:09 . 2005-04-07 06:42 <DIR> d---s---- d:\documents and settings\tech-tbt\UserData

2008-12-15 13:09 . 2007-01-18 09:04 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\Talkback

2008-12-15 13:09 . 2007-02-14 08:49 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\OfficeUpdate12

2008-12-15 13:09 . 2008-06-16 13:23 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\Apple Computer

2008-12-15 13:09 . 2005-09-21 19:00 <DIR> d-------- d:\documents and settings\tech-tbt\Application Data\AdobeUM

2008-12-15 13:09 . 2008-12-15 13:19 <DIR> d-------- d:\documents and settings\tech-tbt

2008-12-15 10:31 . 2008-12-15 10:31 4,444 --a------ c:\winnt\system32\pid.PNF

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-21 10:04 --------- d-----w c:\program files\Symantec AntiVirus

2008-12-19 22:36 --------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help

2008-12-15 19:12 --------- d-----w c:\program files\Timbuktu Pro

2007-07-22 20:41 161,792 ----a-w c:\winnt\inf\b57xp32.sys

2007-07-22 20:41 157,648 ----a-w c:\winnt\inf\b57w2k.sys

2008-07-02 18:36 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-07-02 18:36 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-07-02 18:36 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-07-02 18:36 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-07-02 18:36 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2004-08-04 06:56 73,728 --sha-w c:\winnt\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]

"TLogonPath"="c:\program files\Timbuktu Pro\tb2logon.exe" [2002-02-08 143360]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"PDDM"="c:\program files\PatchLink\Update Agent\pddm.exe" [2008-04-28 843776]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-03-04 999424]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-03-04 1101824]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"AtHocGov"="c:\program files\AtHocGov\AtHocGov.exe" [2008-03-21 537248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWebServices"= 1 (0x1)

"NoOnlinePrintsWizard"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"PreXPSP2ShellProtocolBehavior"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoInplaceSharing"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IDSnetwork]

2008-08-11 06:13 86016 c:\ids\bin\IDSnetwork.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]

2002-02-08 22:05 81973 c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]

"Script"=SMS\SMSGPOShutdown.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=SMS\SMSGPOStartup.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\winnt\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\Msmsgs.exe"=

"c:\\Program Files\\Timbuktu Pro\\tb2launch.exe"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=

"c:\\Program Files\\Common Files\\Symantec Shared\\SPBBC\\SPBBCSvc.exe"=

R0 a320raid;a320raid;c:\winnt\system32\DRIVERS\a320raid.sys [2005-04-08 251578]

R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys []

R2 ETFSDNT;Entrust File System Hook;\??\c:\winnt\system32\etfsdrv.sys [2004-03-25 52224]

R2 IDSservice;IDSservice;c:\ids\bin\IDSservice.exe [2008-08-11 200704]

R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-06-06 116928]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-04 99376]

R3 GTIPCI21;GTIPCI21;c:\winnt\system32\DRIVERS\gtipci21.sys [2007-07-19 88192]

R3 IFXTPM;IFXTPM;c:\winnt\system32\DRIVERS\IFXTPM.SYS [2006-06-05 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\winnt\Tasks\qtkfwhmj.job

- c:\winnt\system32\rundll32.exe [2008-04-13 18:12]

.

- - - - ORPHANS REMOVED - - - -

BHO-{0D8FD76A-7499-402F-AB98-97C40808FBA3} - c:\winnt\system32\byXRhGWp.dll__BHODemonDisabled

HKLM-Run-IDTSysTrayApp - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www6.jsc.nasa.gov

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: *.nasa.gov

Trusted Zone: webmail.jsc.nasa.gov

FF - ProfilePath - d:\documents and settings\jadavis1\Application Data\Mozilla\Firefox\Profiles\1tlipv7d.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-01 19:55:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL

L*n*NULL*

Link to post
Share on other sites

Open open notepad and copy and paste in the following:

MD "%USERPROFILE%"\desktop\malware
xcopy c:\winnt\system32\ridogeku.exe "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy c:\winnt\system32\dfrgusr.EXE "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy c:\winnt\system32\chkusr.EXE "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy c:\winnt\system32\srvagnt.exe "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy "c:\winnt\system32\karesabi" "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy "C:\qoobox" "%USERPROFILE%"\desktop\malware /c /q /r /h /y
Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

Save it as getmalware.bat to the desktop and double-click on it to run it. It will create a folder called malware on your desktop. Please zip up this folder and attach it here in a new topic with a link to this thread. I will get back to you once they have been analyzed.

Link to post
Share on other sites

Tigger93 - Here's the mbam log. BTW - this was the first time I was able to run Malwarebytes under it's proper name. Things look good from this end. It seems like that last dose of combofix did the trick. Please let me know if there is anything else I need to do. I really appreciate all you did to help me through this. JD

Malwarebytes' Anti-Malware 1.32

Database version: 1617

Windows 5.1.2600 Service Pack 3

2009-01-05 07:30:22

mbam-log-2009-01-05 (07-30-22).txt

Scan type: Quick Scan

Objects scanned: 64957

Time elapsed: 9 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.