Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Startup with a Beep ... Continued ...


  • This topic is locked This topic is locked
39 replies to this topic

#1 Alfinator

Alfinator

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 21 January 2009 - 11:24 PM

I just copied the following from a previous forum post under Am I infected? What do I do?. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/196874/slow-startup-with-a-beep/ Referred here from that topic. ~ OB

My problem began when a warning popped up saying that I have the Win32.Zafi.B trojan which I believe I already removed.

I was then online and whenever I click on a link, it goes to a totally different site and I noticed in the processed in task manager that svchost.exe is coming up a lot. I went to boot up in safe mode and did a regedit and did a find on svchost and began deleting them. When I rebooted again, there's a beep and it takes so long for Windows to complete loading. A lot of my programs that are trying to access the internet began giving me lots of error messages. I could do a copy on a file or folder, but I am not given a paste option. I cannot connect to the internet with either Internet Explorer or Mozilla Firefox. When I'm on Windows Explorer and click on Search, the search menu doesn't show up on the left, only the dog assistant shows up. I tried doing from task manager, run, sfc /scannow, but that didn't do anything. I've tried booting with the Windows XP CD, but i couldn't figure out what to do.

Please help?

Alfinator

Here's the report:


DDS (Ver_09-01-18.01) - NTFSx86
Run by Alfie at 23:13:01.10 on Wed 01/21/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071112
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071112
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {2787ea8e-8d87-48af-88ad-b30246c917ab} - SearchPerks! Perk Counter
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: SearchPerks! Perk Counter: {2787ea8e-8d87-48af-88ad-b30246c917ab} -
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SansaDispatch] c:\program files\sandisk\sansa updater\SansaDispatch.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alfie\applic~1\mozilla\firefox\profiles\qz79cmoq.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-21 23:12 368,916 a------- c:\documents and settings\alfie\dds.scr
2009-01-21 22:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 22:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 22:44 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 22:44 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-21 19:40 1,949,896 a------- c:\documents and settings\alfie\something2.exe
2009-01-21 19:40 2,737,808 a------- c:\documents and settings\alfie\something.exe
2009-01-19 23:14 --d----- c:\docume~1\alfie\applic~1\GlarySoft
2009-01-19 22:48 --d----- c:\program files\Free Window Registry Repair
2009-01-18 22:15 --d----- c:\windows\pss
2009-01-18 17:52 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-18 12:56 262,144 a------- C:\ntuser.dat
2009-01-17 23:38 --d----- c:\program files\common files\Download Manager
2009-01-17 22:25 2,204 a------- c:\windows\system32\TDSSfxmp.dll
2009-01-17 22:25 61,440 a------- c:\windows\system32\TDSScfum.dll
2009-01-17 22:25 31,232 a------- c:\windows\system32\TDSSriqp.dll
2009-01-17 22:25 29,696 a------- c:\windows\system32\TDSSnrsr.dll
2009-01-17 22:25 441 a------- c:\windows\system32\TDSSosvd.dat
2009-01-17 22:25 60,416 a------- c:\windows\system32\drivers\TDSSmaxt.sys
2009-01-17 22:25 35,840 a------- c:\windows\system32\TDSSofxh.dll
2009-01-17 22:24 --d----- c:\docume~1\alfie\applic~1\Yahoo
2008-12-31 10:59 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-31 10:59 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-30 18:13 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-05-11 21:03 32 a----r-- c:\documents and settings\all users\hash.dat
2008-09-25 12:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092520080926\index.dat

============= FINISH: 23:13:15.35 ===============

Attached Files


Edited by Orange Blossom, 21 January 2009 - 11:27 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 30 January 2009 - 02:01 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 Alfinator

Alfinator
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 30 January 2009 - 08:35 PM

Hi Panda,

I tried running ComboFix but the Windows Recovery Console was not installed since internet connection is not working. Also, after getting the log, nothing else happened, no reboot.

Here's the ComboFix log:


ComboFix 09-01-21.04 - Alfie 2009-01-30 20:27:38.1 - NTFSx86
Running from: F:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\TDSSmaxt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSStkdv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-21 23:12 . 2006-03-31 04:01 368,916 --a------ c:\documents and settings\Alfie\dds.scr
2009-01-21 22:44 . 2009-01-21 22:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 22:44 . 2009-01-21 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 22:44 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 22:44 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-21 19:40 . 2006-03-31 00:10 2,737,808 --a------ c:\documents and settings\Alfie\something.exe
2009-01-21 19:40 . 2006-03-31 00:28 1,949,896 --a------ c:\documents and settings\Alfie\something2.exe
2009-01-19 23:14 . 2009-01-19 23:14 <DIR> d-------- c:\documents and settings\Alfie\Application Data\GlarySoft
2009-01-19 22:48 . 2009-01-21 19:20 <DIR> d-------- c:\program files\Free Window Registry Repair
2009-01-18 17:52 . 2009-01-21 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-18 12:56 . 2009-01-18 12:56 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-01-18 12:56 . 2009-01-18 12:56 262,144 --a------ C:\ntuser.dat
2009-01-18 00:14 . 2007-11-12 16:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Roxio
2009-01-18 00:14 . 2007-11-12 16:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-01-18 00:14 . 2007-11-12 16:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GTek
2009-01-18 00:14 . 2009-01-21 19:11 <DIR> d-------- c:\documents and settings\Administrator
2009-01-17 23:38 . 2009-01-17 23:38 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-17 22:25 . 2009-01-18 22:27 2,204 --a------ c:\windows\system32\TDSSfxmp.dll
2009-01-17 22:24 . 2009-01-17 22:24 <DIR> d-------- c:\documents and settings\Alfie\Application Data\Yahoo
2008-12-31 10:59 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-31 10:59 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-30 18:13 . 2008-12-30 18:13 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-22 17:41 . 2008-12-22 17:41 <DIR> d-------- c:\program files\Softouch
2008-12-22 17:41 . 2008-12-22 17:41 <DIR> d-------- c:\program files\Common Files\Borland Shared
2008-12-22 17:41 . 1999-01-20 05:01 210,032 --a------ c:\windows\system32\DBCLIENT.DLL
2008-12-22 17:41 . 1999-11-12 05:11 183,808 --a------ c:\windows\system32\BDEADMIN.CPL
2008-12-22 17:36 . 2008-12-22 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Softouch
2008-12-22 17:36 . 2008-12-22 17:36 <DIR> d-------- c:\documents and settings\Alfie\Application Data\Softouch
2008-12-20 22:50 . 2009-01-18 22:33 <DIR> d-------- c:\program files\OrangeShark Games
2008-12-20 22:50 . 2008-12-20 22:50 <DIR> d-------- c:\program files\Common Files\SWF Studio
2008-12-18 23:03 . 2008-12-18 23:03 <DIR> d-------- c:\program files\Common Files\Scanner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 00:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-22 00:12 --------- d-----w c:\program files\Blocktrix
2009-01-20 04:10 --------- d-----w c:\program files\Google
2009-01-18 21:58 --------- d-----w c:\program files\Yahoo!
2009-01-18 21:56 --------- d-----w c:\documents and settings\Alfie\Application Data\Yahoo!
2009-01-18 17:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-30 23:13 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:38 63,488 ------w c:\windows\system32\dllcache\icardie.dll
2008-10-16 20:38 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-16 20:38 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
2008-10-16 20:38 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
2008-10-16 20:38 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2008-10-16 20:38 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-05-12 02:03 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-09-25 17:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092520080926\index.dat
.

------- Sigcheck -------

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\$NtServicePackUninstall$\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

2004-08-04 06:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

2006-01-09 13:02 662016 dde9597a3311748c1519444e2bc147bd c:\windows\$hf_mig$\KB912945\SP2QFE\wininet.dll
2007-06-26 09:35 665600 e1a3dd68b5380b360a7310a64d9bb188 c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
2007-08-20 05:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-22 22:35 827392 41546b396a526918da7995a02ea04e51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 11:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 04:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 15:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2007-06-26 09:09 658944 184e47c8f7b331025e6dc92740db188f c:\windows\$NtUninstallKB937143$\wininet.dll
2007-06-26 09:35 665600 e1a3dd68b5380b360a7310a64d9bb188 c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 05:04 824832 774435e499d8e9643ec961a6103c361f c:\windows\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 c:\windows\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 c:\windows\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 c:\windows\ie7updates\KB950759-IE7\wininet.dll
2008-04-22 23:16 826368 f6589be784647cfdbc22ea51ccb1a57a c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 11:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 02:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-04-13 19:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-10-16 15:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 c:\windows\system32\wininet.dll

2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 06:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

2004-08-04 06:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

2004-08-04 06:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2004-08-04 06:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 02:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 14:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 04:15 2017280 2dfb215e291e3d9b1cf9a6739b3bf16c c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-13 13:31 2023936 7f653a89f6e89e3ae0d49830eece35d4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 04:33 2023936 8206b5f94a6a9450e934029420c1693f c:\windows\system32\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 15:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 04:53 2137600 e6679c3023b17d8b78946bc5df53fa20 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-13 14:24 2145280 40f8880122a030a7e9e1fedea833b33d c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 05:09 2145280 f6f8245b3a2e9ca834dd318e7ae0c6d0 c:\windows\system32\ntoskrnl.exe

2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 06:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

2004-08-04 06:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

2004-08-04 06:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

2004-08-04 06:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

2004-08-04 06:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll

2006-07-05 05:57 985088 0fdd84928a5dde2510761b7ec76ccec9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\$NtServicePackUninstall$\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll

2004-08-04 06:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 4269296]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-30 136600]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Cdfs
*Deregistered* - DLABMFSM
*Deregistered* - DLABOIOM
*Deregistered* - DLADResM
*Deregistered* - DLAIFS_M
*Deregistered* - DLAOPIOM
*Deregistered* - DLAPoolM
*Deregistered* - DLARTL_M
*Deregistered* - DLAUDF_M
*Deregistered* - DLAUDFAM
*Deregistered* - DRVNDDM
*Deregistered* - DSproct
*Deregistered* - dsunidrv
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - hnmsvc
*Deregistered* - i2omgmt
*Deregistered* - iaStor
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - Packet
*Deregistered* - PartMgr
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RoxWatch9
*Deregistered* - sr
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - WudfPf
.
Contents of the 'Scheduled Tasks' folder

2008-03-09 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1195332574.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2787EA8E-8D87-48af-88AD-B30246C917AB} - (no file)
Toolbar-{2787EA8E-8D87-48af-88AD-B30246C917AB} - (no file)
WebBrowser-{2787EA8E-8D87-48AF-88AD-B30246C917AB} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071112
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Alfie\Application Data\Mozilla\Firefox\Profiles\qz79cmoq.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 20:28:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmaxt.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\TDSSmaxt.sys"
"group"="file system"
.
Completion time: 2009-01-30 20:29:22
ComboFix-quarantined-files.txt 2009-01-31 01:29:01

Pre-Run: 133,669,654,528 bytes free
Post-Run: 140,577,841,152 bytes free

341 --- E O F --- 2009-01-18 22:11:03

#4 Alfinator

Alfinator
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 30 January 2009 - 08:52 PM

Hi Panda,

I rebooted manually and ran DDS.

Here's the new DDS log and attachement:


DDS (Ver_09-01-19.01) - NTFSx86
Run by Alfie at 20:46:03.06 on Fri 01/30/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071112
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SansaDispatch] c:\program files\sandisk\sansa updater\SansaDispatch.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alfie\applic~1\mozilla\firefox\profiles\qz79cmoq.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-30 20:26 161,792 a------- c:\windows\SWREG.exe
2009-01-30 20:26 98,816 a------- c:\windows\sed.exe
2009-01-30 20:26 <DIR> --d----- C:\ComboFix
2009-01-21 23:12 368,916 a------- c:\documents and settings\alfie\dds.scr
2009-01-21 22:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 22:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 22:44 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 22:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-21 19:40 1,949,896 a------- c:\documents and settings\alfie\something2.exe
2009-01-21 19:40 2,737,808 a------- c:\documents and settings\alfie\something.exe
2009-01-19 23:14 <DIR> --d----- c:\docume~1\alfie\applic~1\GlarySoft
2009-01-19 22:48 <DIR> --d----- c:\program files\Free Window Registry Repair
2009-01-18 22:15 <DIR> --d----- c:\windows\pss
2009-01-18 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-18 12:56 262,144 a------- C:\ntuser.dat
2009-01-17 23:38 <DIR> --d----- c:\program files\common files\Download Manager
2009-01-17 22:25 2,204 a------- c:\windows\system32\TDSSfxmp.dll
2009-01-17 22:24 <DIR> --d----- c:\docume~1\alfie\applic~1\Yahoo

==================== Find3M ====================

2008-12-30 18:13 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-05-11 21:03 32 a----r-- c:\documents and settings\all users\hash.dat
2008-09-25 12:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092520080926\index.dat

============= FINISH: 20:46:18.48 ===============

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 31 January 2009 - 10:07 AM

Hello Alfinator.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\drivers\\svchost.exe"=-
    
    :files
    c:\documents and settings\Alfie\something.exe
    c:\documents and settings\Alfie\something2.exe
    c:\windows\system32\TDSSfxmp.dll
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

It doesn't look like you have an antivirus installed. Please install one from the list in my previous post. Take a new DDS.txt log from after the installation.

With Regards,
The Panda

#6 Alfinator

Alfinator
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 31 January 2009 - 10:50 AM

Hi Panda,

Here's the log from OTMoveIt:

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\\AntiVirusOverride deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\drivers\svchost.exe deleted successfully.
========== FILES ==========
c:\documents and settings\Alfie\something.exe moved successfully.
c:\documents and settings\Alfie\something2.exe moved successfully.
LoadLibrary failed for c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSfxmp.dll NOT unregistered.
c:\windows\system32\TDSSfxmp.dll moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01312009_104107

#7 Alfinator

Alfinator
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 31 January 2009 - 10:58 AM

Hi Panda,

I installed AVG Free and got this message:

Local machine: installed successfully
Initialization:
Warning: Windows Firewall activity checking failed.
Error 0x800706ba
Commit:
Warning: Unregistration of product AntiVirusProduct with ID {67B30939-3B35-11D2-A595-002018648BA7} from the Windows Security Center failed.
Error 0x800706ba

#8 Alfinator

Alfinator
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 31 January 2009 - 11:04 AM

Hi Panda,

Also, the updates for AVG free didn't work since there's no internet connection.

Here's the latest DSS log and attachment:



DDS (Ver_09-01-19.01) - NTFSx86
Run by Alfie at 10:59:39.42 on Sat 01/31/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071112
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SansaDispatch] c:\program files\sandisk\sansa updater\SansaDispatch.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alfie\applic~1\mozilla\firefox\profiles\qz79cmoq.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-31 10:52 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-31 10:52 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-31 10:52 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-31 10:52 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-31 10:52 <DIR> --d----- c:\docume~1\alfie\applic~1\AVGTOOLBAR
2009-01-31 10:52 <DIR> --d----- c:\program files\AVG
2009-01-30 20:26 161,792 a------- c:\windows\SWREG.exe
2009-01-30 20:26 98,816 a------- c:\windows\sed.exe
2009-01-30 20:26 <DIR> --d----- C:\ComboFix
2009-01-21 23:12 368,916 a------- c:\documents and settings\alfie\dds.scr
2009-01-21 22:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 22:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 22:44 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 22:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 23:14 <DIR> --d----- c:\docume~1\alfie\applic~1\GlarySoft
2009-01-19 22:48 <DIR> --d----- c:\program files\Free Window Registry Repair
2009-01-18 22:15 <DIR> --d----- c:\windows\pss
2009-01-18 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-18 12:56 262,144 a------- C:\ntuser.dat
2009-01-17 23:38 <DIR> --d----- c:\program files\common files\Download Manager
2009-01-17 22:24 <DIR> --d----- c:\docume~1\alfie\applic~1\Yahoo

==================== Find3M ====================

2008-12-30 18:13 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-05-11 21:03 32 a----r-- c:\documents and settings\all users\hash.dat
2008-09-25 12:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092520080926\index.dat

============= FINISH: 10:59:58.70 ===============

Attached Files



#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 31 January 2009 - 11:15 AM

Hello Alfinator.

Let's try to repair that connection. First let's make sure nothing is hiding from us.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#10 Alfinator

Alfinator
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 31 January 2009 - 11:40 AM

Hi Panda,

Here's the GMER log:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-31 11:39:11
Windows 5.1.2600 Service Pack 3


---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 0039B467
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 0039B27A
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 00396CA8
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 00397881
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0039962B
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 0039804D
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 00397A66
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 00398EA6
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0039AB0E
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0039AB3E
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 0039B681
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0039A868
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 003995BB
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 0039870D
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 00397E61
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 003983A9
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 0039B9AD
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 003990A5
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 003994B7
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 00399BFA
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 003998EA
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 00399BA8
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0039A1E4
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 00399CF2
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 00397C75
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 00398662
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0039ABE9
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 003999AC
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0039956E
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 003992E2
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 003996BB
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 0039B68D
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 00399881
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 0039B812
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 0039B7E0
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0039B935
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0039B991
IAT C:\Program Files\Dell Network Assistant\ezi_hnm2.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 0039B87E
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [610E89AA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [610E89AA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [610E9B47] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [610E89E8] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [610E8922] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [610E8960] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [610E89B0] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [610E88E4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [610E89AA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [610E9B47] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [610E8960] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [610E88E4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[568] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [610E8922] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.14 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSmaxt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSofxh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSfxmp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsbhc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdv.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmaxt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSofxh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSfxmp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsbhc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdv.log

---- EOF - GMER 1.0.14 ----

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 31 January 2009 - 12:18 PM

Hello.

Ah .. that's not good.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to delete:
    TDSSserv.sys
    
    Files to delete:
    c:\windows\system32\drivers\TDSSmaxt.sys
    c:\windows\system32\TDSSofxh.dll
    c:\windows\systemroot\system32\TDSSosvd.dat
    c:\windows\systemroot\system32\TDSSnrsr.dll
    c:\windows\system32\TDSSriqp.dll
    c:\windows\system32\TDSScfum.dll
    c:\windows\system32\TDSSfxmp.dll
    c:\windows\system32\TDSSnmxh.log
    c:\windows\system32\TDSSsbhc.dll
    c:\windows\system32\TDSSrhym.log
    c:\windows\system32\TDSStkdv.log
    
    Registry keys to delete:
    HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys
  • Click Posted Image to paste the script from the clipboard.
  • Check the Scan for rootkits and Disable Rootkits automatically when found boxes.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.

Follow up with a new GMER and DDS scan.

Can you connect to the Internet now?

With Regards,
The Panda

Edited by PropagandaPanda, 31 January 2009 - 12:18 PM.


#12 Alfinator

Alfinator
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 31 January 2009 - 12:41 PM

Hi Panda,

I still can't connect to the internet after the GMER scan.

#13 Alfinator

Alfinator
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 31 January 2009 - 12:49 PM

Hi Panda,

Here's the Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "TDSSserv.sys" deleted successfully.

Error: file "c:\windows\system32\drivers\TDSSmaxt.sys" not found!
Deletion of file "c:\windows\system32\drivers\TDSSmaxt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSofxh.dll" not found!
Deletion of file "c:\windows\system32\TDSSofxh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "c:\windows\systemroot\system32\TDSSosvd.dat"
Deletion of file "c:\windows\systemroot\system32\TDSSosvd.dat" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "c:\windows\systemroot\system32\TDSSnrsr.dll"
Deletion of file "c:\windows\systemroot\system32\TDSSnrsr.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "c:\windows\system32\TDSSriqp.dll" not found!
Deletion of file "c:\windows\system32\TDSSriqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSScfum.dll" not found!
Deletion of file "c:\windows\system32\TDSScfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSfxmp.dll" not found!
Deletion of file "c:\windows\system32\TDSSfxmp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSnmxh.log" not found!
Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSsbhc.dll" not found!
Deletion of file "c:\windows\system32\TDSSsbhc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSrhym.log" not found!
Deletion of file "c:\windows\system32\TDSSrhym.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSStkdv.log" not found!
Deletion of file "c:\windows\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#14 Alfinator

Alfinator
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 31 January 2009 - 12:56 PM

Hi Panda,

I still can't connect to the internet after running Avenger.

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 31 January 2009 - 01:27 PM

Hello.

Let's see if we can repair that..

Click on the Start button.
Click on the Settings menu option.
Click on the Control Panel option.
When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
You will now see a menu similar to the image below. Simply click on the Repair menu option.
--
If it is still not working..

To Restore Connection Using WinsockXPFix
This tool should only be used on Windows NT4, 2000, and XP (and variants). Use on any other operating system may cause serious damage.
  • Please download WinsockXPFix from a working machine and copy it to a CD or flash media.
  • Copy the file to the desktop on the damaged computer.
  • Double click on [b]Posted Image on your desktop.
  • Push the Posted Image button.
  • Allow your system to reboot.
Please let me know if your connection is restored in your next reply

Tell me if the connection is back.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users