Malwarebytes stops running, even in safe mode

[LDTate]

Please download, open, and run the QueryServices.bat inside the attached zip file and post back the NetworkDetails.txt file (as an attachment) that it will create in the root of the system drive.

GetNetworkInfo2.zip

[Jimcat]

I do have the Windows Vista CD if it turns out that I need it.

I will run the file later today - may be a couple of hours before I get the opportunity.

[LDTate]

I don't use Vista so I'm not sure how the RC works with it.

Insert you Windows CD and start from the CD to start the recovery console

I think you select Repair Options

You want the command prompt

At the command prompt type CD\ tap enter.

You want to be at C:\ or C:\windows

Type in: del C:\Windows\system32\DRIVERS\tdx.sys tap enter

Type in: copy C:\WINDOWS\ServicePackFiles\tdx.sys C:\Windows\system32\DRIVERS\ tap enter

Type in Exit and reboot.

Let me know how it's running and you can also try combofix

[Jimcat]

Here is the NetworkDetails file. This is before running any operations with the restore CD.

Query Services version 2

...

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: dhcp

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DHCP Client

DEPENDENCIES : NSI

: Tdx

: Afd

SERVICE_START_NAME : NT Authority\LocalService

SERVICE_NAME: dhcp

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

WIN32_EXIT_CODE : 1075 (0x433)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: TCPIP

TYPE : 1 KERNEL_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : System32\drivers\tcpip.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 3

DISPLAY_NAME : TCP/IP Protocol Driver

DEPENDENCIES :

SERVICE_START_NAME :

SERVICE_NAME: TCPIP

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: Afd

TYPE : 1 KERNEL_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : \SystemRoot\system32\drivers\afd.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 0

DISPLAY_NAME : Ancilliary Function Driver for Winsock

DEPENDENCIES :

SERVICE_START_NAME :

SERVICE_NAME: Afd

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: NetBT

TYPE : 1 KERNEL_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : System32\DRIVERS\netbt.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 12

DISPLAY_NAME : NETBT

DEPENDENCIES : Tdx

: tcpip

SERVICE_START_NAME :

SERVICE_NAME: NetBT

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: NetBIOS

TYPE : 2 FILE_SYSTEM_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : system32\DRIVERS\netbios.sys

LOAD_ORDER_GROUP : NetBIOSGroup

TAG : 2

DISPLAY_NAME : NetBIOS Interface

DEPENDENCIES :

SERVICE_START_NAME :

SERVICE_NAME: NetBIOS

TYPE : 2 FILE_SYSTEM_DRIVER

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: Lmhosts

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : TCP/IP NetBIOS Helper

DEPENDENCIES : NetBT

: Afd

SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: Lmhosts

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 1040

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: Dnscache

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k NetworkService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DNS Client

DEPENDENCIES : Tdx

SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: Dnscache

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

WIN32_EXIT_CODE : 1075 (0x433)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: PolicyAgent

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : IPsec Policy Agent

DEPENDENCIES : Tcpip

: bfe

SERVICE_START_NAME : NT Authority\NetworkService

SERVICE_NAME: PolicyAgent

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 2940

FLAGS :

[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: lanmanserver

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Server

DEPENDENCIES : SamSS

: Srv

SERVICE_START_NAME : LocalSystem

SERVICE_NAME: lanmanserver

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 1124

FLAGS :

[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: RPCSS

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k rpcss

LOAD_ORDER_GROUP : COM Infrastructure

TAG : 0

DISPLAY_NAME : Remote Procedure Call (RPC)

DEPENDENCIES : DcomLaunch

SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: RPCSS

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 908

FLAGS :

[Jimcat]

Is there a Vista doctor in the house?

There are several CD's included with my computer. There is one labeled as the operating system CD; this says "use this DVD only to reinstall the operating system", which I presume I don't want to do yet.

There is also a "Drivers and Utilities" CD which looks like what might be the most useful. I installed the console application, which has a lot of menu items, but nothing I can find labeled "Repair Options" or anything that seems to open up a command prompt.

There are a large number of drivers listed on the console, grouped under categories such as Utilities, Drivers, and Applications. Unfortunately it doesn't give file names, and I can't find anything that's obviously labeled "Ethernet card" or "Networking".

What's my next step?

[LDTate]

TDSSKiller replaced the driver\tdx.sys

I'd like to see what we have for tdx.sys

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  tdx.sys

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[Jimcat]

Update: I did find the network drivers section. It has one item checked, presumably my current NIC driver: "Intel 825xx 10/100 Platform LAN Connect Device Rev:A00

Still stumped as to what to do next.

[Jimcat]

Just saw your reply above. Will try the SystemLook in an hour or so.

[LDTate]

OK

[Jimcat]

Here is the SystemLook output:

SystemLook 30.07.11 by jpshortstuff

Log created at 12:12 on 21/10/2011 by Jim Kasprzak 4

Administrator - Elevation successful

========== filefind ==========

Searching for "tdx.sys"

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --a---- 71680 bytes [02:24 21/01/2008] [02:24 21/01/2008] D09276B1FAB033CE1D40DCBDF303D10F

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys --a---- 72192 bytes [10:59 11/09/2009] [05:58 20/10/2011] (Unable to calculate MD5)

-= EOF =-

[LDTate]

Copy this file from here

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys

to

C:\windows\System32\Drivers\

[Jimcat]

When I try to do the above:

First I see a pop-up window that says "You'll need to provide administrator permission to copy this file". I click "Continue" and I get a pop-up saying "Windows needs your permission to continue". I click "Continue" on that window and it starts copying, but then I get anothe rpop-up with the label "Destination Folder Access Denied" and it says "You need permission to perform this action".

I was pretty sure that my user profile had administrator access. What am I missing?

[LDTate]

Restart in Safe Mode and login as administrator

If that doesn't work, try

Try Method One

http://www.petri.co.il/disable_uac_in_windows_vista.htm

[Jimcat]

Turning off UAC made it worse - it doesn't even try now, it just gives me the "Destination Folder Access Denied" pop-up.

I know how to login in safe mode, but I'm not sure what I need to do to specifically "login as administrator". As far as I know, all of my user profiles have administrator access. Is there another step I need?

[LDTate]

1. Start your computer from the Windows Vista Installation DVD

2. Press a key when prompted to continue

3. Choose your language, time, keyboard and click Next:

Select language and preferences

I think you select Repair Options

You want the command prompt

At the command prompt type in:

copy C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys C:\windows\System32\Drivers\

tap enter.

You should see, one file copied

Note any spaces, they need to be there.

[Jimcat]

I'm afraid even that is not working - it's saying "Access is denied. 0 files copied."

[LDTate]

Do you still have combofix installed?

[Jimcat]

Yes, Combofix is still installed.

[LDTate]

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys | C:\windows\System32\Drivers\tdx.sys

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

[Jimcat]

Here is the Combofix log from the latest run:

ComboFix 11-10-20.08 - Jim Kasprzak 4 10/21/2011 17:47:03.3.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.1216 [GMT -4:00]

Running from: c:\users\Jim Kasprzak 4\Desktop\ComboFix.exe

Command switches used :: c:\users\Jim Kasprzak 4\Desktop\CFScript.txt

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))

.

.

2011-10-21 22:02 . 2011-10-21 22:02 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp

2011-10-21 22:02 . 2011-10-21 22:02 -------- d-----w- c:\users\Jim\AppData\Local\temp

2011-10-21 22:02 . 2011-10-21 22:02 -------- d-----w- c:\users\Jim Kasprzak\AppData\Local\temp

2011-10-21 22:02 . 2011-10-21 22:02 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Local\temp

2011-10-21 22:02 . 2011-10-21 22:02 -------- d-----w- c:\users\Jim Kasprzak 2\AppData\Local\temp

2011-10-21 22:02 . 2011-10-21 22:02 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-10-21 21:24 . 2011-10-21 21:24 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8BA0802C-633C-40DC-B3AA-103B3FE4444C}\offreg.dll

2011-10-21 14:44 . 2011-10-21 14:44 -------- d-----w- c:\windows\system32\vmm32

2011-10-20 01:20 . 2007-12-05 11:17 77824 ----a-w- c:\windows\system32\AERTSrv.exe

2011-10-19 01:42 . 2011-09-21 13:00 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8BA0802C-633C-40DC-B3AA-103B3FE4444C}\mpengine.dll

2011-10-15 11:08 . 2011-10-15 11:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-15 11:08 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-15 10:28 . 2011-10-15 10:28 -------- d-sh--w- c:\windows\system32\%APPDATA%

2011-10-14 10:24 . 2011-10-14 10:24 -------- d-----w- c:\programdata\Malwarebytes

2011-10-12 23:08 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-10-12 23:08 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll

2011-10-12 23:08 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax

2011-10-12 23:08 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax

2011-10-12 23:08 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax

2011-10-12 23:08 . 2011-09-14 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2011-10-12 23:08 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll

2011-10-12 23:08 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll

2011-10-12 23:08 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll

2011-10-12 23:08 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll

2011-10-11 09:59 . 2011-10-11 10:00 -------- d-----w- c:\users\Jim Kasprzak 4

2011-10-11 09:34 . 2011-10-11 09:34 -------- d--h--w- c:\users\Jim Kasprzak 3\Tracing

2011-10-11 09:34 . 2011-10-11 09:34 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Unity

2011-10-11 09:34 . 2010-10-20 23:36 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Windows Live Writer

2011-10-11 09:34 . 2011-10-11 09:34 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\TaxCut

2011-10-11 09:34 . 2011-10-11 09:34 -------- d--h--w- c:\users\Jim Kasprzak 3\AppData\Roaming\Oberon Media

2011-10-11 09:34 . 2011-10-11 09:34 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\PCDr

2011-10-11 09:34 . 2011-10-11 09:34 -------- d-----r- c:\users\Jim Kasprzak 3\AppData\Roaming\SecuROM

2011-10-11 09:31 . 2011-10-11 09:31 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Merscom

2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\IGN_DLM

2011-10-11 09:30 . 2011-10-11 09:30 -------- d--h--w- c:\users\Jim Kasprzak 3\AppData\Roaming\funkitron

2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Facebook

2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\eMusic

2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\CyberLink

2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Amazon

2011-10-11 09:30 . 2009-12-01 02:33 8653312 ----a-w- c:\users\Jim Kasprzak 3\AppData\Roaming\DataSafeDotNet.exe

2011-10-09 17:52 . 2011-10-09 17:52 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Malwarebytes

2011-10-09 09:35 . 2011-10-09 09:35 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\McAfee

2011-10-08 19:29 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-10-05 00:06 . 2011-10-05 00:06 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\PlayFirst

2011-09-23 11:08 . 2011-09-23 11:08 307200 ----a-w- c:\program files\Internet Explorer\iediagcmd.exe

2011-09-23 11:08 . 2011-09-23 11:08 161792 ----a-w- c:\windows\system32\msls31.dll

2011-09-23 11:08 . 2011-09-23 11:08 107008 ----a-w- c:\program files\Internet Explorer\iecleanup.exe

2011-09-23 11:08 . 2011-09-23 11:08 748336 ----a-w- c:\program files\Internet Explorer\iexplore.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-19 02:35 . 2009-09-11 10:59 185856 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-10-19 01:34 . 2011-06-15 19:07 273408 ----a-w- c:\windows\system32\drivers\afd.sys

2011-09-28 01:59 . 2011-05-14 09:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-08-22 10:40 . 2011-08-22 10:40 0 ---ha-w- c:\users\Jim Kasprzak 2\AppData\Local\Spituj.bin

2011-08-15 14:00 . 2010-08-25 07:51 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-08-15 14:00 . 2010-08-25 07:50 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-08-15 14:00 . 2010-08-25 07:50 64712 ----a-w- c:\windows\system32\drivers\mfenlfk.sys

2011-08-15 14:00 . 2010-08-25 07:50 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-08-15 14:00 . 2010-08-25 07:50 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-08-15 14:00 . 2010-08-25 07:50 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-08-15 14:00 . 2010-08-25 07:50 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-08-15 14:00 . 2010-08-25 07:50 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-08-15 14:00 . 2010-08-25 07:50 164776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys

2011-08-15 14:00 . 2010-08-25 07:50 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-07-08 07:16 . 2011-08-14 18:18 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-04-14 18:01 . 2011-08-14 19:44 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-02 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-10 1317016]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe" [2011-09-28 243360]

.

c:\users\Jim Kasprzak 4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe [2009-5-13 53248]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-05-13 07:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiSpywareOverride"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2009-03-30 66368]

R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [x]

R2 dsl-db;Remote Access DB;c:\program files\Common Files\Dell\MySQL\bin\mysqld.exe [x]

R2 dsl-fs-sync;Remote Access File Sync Service;c:\program files\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe [2009-01-05 173296]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]

R2 uvnc_service;UltraVNC Server;c:\programdata\UltraVNC\winvnc.exe [2008-08-31 1519168]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]

R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]

S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-08-15 164776]

S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]

S2 Apache2.2;Remote Access Media Server;c:\program files\Common Files\Dell\apache\bin\httpd.exe [2007-09-21 15872]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 160344]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-08-19 148520]

S2 SftService;SoftThinks Agent Service;c:\windows\sminst\sftservice.EXE [2009-02-23 632048]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-15 c:\windows\Tasks\Norton Security Scan for Jim Kasprzak.job

- c:\program files\Norton Security Scan\Engine\3.0.0.103\Nss.exe [2011-03-13 07:25]

.

2011-10-21 c:\windows\Tasks\User_Feed_Synchronization-{E31C1D6B-950E-489A-A927-F01A5C3A2B23}.job

- c:\windows\system32\msfeedssync.exe [2011-09-23 11:07]

.

2011-10-21 c:\windows\Tasks\vtscheduletask.job

- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2011-10-09 18:25]

.

.

------- Supplementary Scan -------

.

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

TCP: DhcpNameServer = 24.229.54.212 207.44.96.129 24.229.54.220

FF - ProfilePath -

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:a6,91,65,95,bf,8c,cc,01

.

Completion time: 2011-10-21 18:05:37

ComboFix-quarantined-files.txt 2011-10-21 22:05

ComboFix2.txt 2011-10-21 01:48

ComboFix3.txt 2011-10-20 09:34

.

Pre-Run: 57,925,611,520 bytes free

Post-Run: 57,893,535,744 bytes free

.

- - End Of File - - D0405AB30415331EF3FB8797073CEC26

[Jimcat]

Networking behavior is the same as before: it shows no Internet connectivity and describes the network as "Identifying".

[LDTate]

Lest find out if it worked

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  tdx.sys

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[Jimcat]

This thing is pretty persistent. It looks like SystemLook is returning the same results as it did before we ran Combofix:

SystemLook 30.07.11 by jpshortstuff

Log created at 18:29 on 21/10/2011 by Jim Kasprzak 4

Administrator - Elevation successful

========== filefind ==========

Searching for "tdx.sys"

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --a---- 71680 bytes [02:24 21/01/2008] [02:24 21/01/2008] D09276B1FAB033CE1D40DCBDF303D10F

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys --a---- 72192 bytes [10:59 11/09/2009] [05:58 20/10/2011] (Unable to calculate MD5)

-= EOF =-

[LDTate]

I think the infection has locked your permissions.

Download junction.zip from this link and extract junction.exe to your desktop.

•Right click Junction.zip and choose extract all...

•When the Compressed Folders Extraction wizard opens, click Next

•Click Browse

•When the "select a destination" box opens, click My Computer > Local Disk (C:) > Windows > OK

•Back at the Extraction Wizard, click Next.

•Untick "Show Extracted Files" and click Finish

Click Start > Run. Copy and paste the contents of the codebox below into the run box.

(Do Not include Code:) Then click OK:

cmd /c junction -s c:\ >log.txt&log.txt&del log.txt.

•A command window will open and the system will be scanned. (Click Agree to the prompt)

•Please be patient & wait untill a log file opens in notepad.

•Copy and paste the contents of that file in your next reply.

[Jimcat]

Thanks for sticking with me on this. It may be a few hours before I can complete this operation.