TechSpot

System Check virus, a lot of problems

Inactive
By MjuTaS
Feb 8, 2012
  1. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    or if it doesnt take to long time we can fix the no acces problem now :D
     
  2. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    I can see you're back in normal mode now?
    Is Internet Explorer the only program which won't open?
    What happens when you try?

    Combofix log looks fairly clean (not 100% yet).

    Next steps depend on what you CAN do in normal mode.
     
  3. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    We posted at the same time.
     
  4. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    I cant open any files. i can open "my computer" and some folders.

    if i try open internet explorer for example, i get C:\program files\internet explorer\iexplore.exe An attempt was made to preform a non legit move on a refestry key that has been flagged for remove. its in swedish so its not exactly that but almost.

    it was like this the last time i ran combofix too, after i restarted i got the problem with accessing desktop
     
  5. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    That's any easy fix.
    You have to restart computer :)
     
  6. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    got access to files now, but internet dissappeared again lol :)
    just identifying.... but i can see afd.sys is atleast in system32/drives, so its some other problem
     
  7. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Post new FSS log.
     
  8. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    Farbar Service Scanner Version: 10-02-2012
    Ran by Simon (administrator) on 11-02-2012 at 03:49:05
    Running from "C:\Users\Simon\Desktop"
    Microsoft Windows 7 Ultimate Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    tdx Service is not running. Checking service configuration:
    The start type of tdx service is OK.
    The ImagePath of tdx service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.

    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
    Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
    Unable to retrieve ServiceDll of MpsSvc. The value does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Defender:
    =============
    WinDefend Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys
    [2012-02-11 03:12] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5

    Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  9. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    We have tdx.sys file missing again.

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\windows\ERDNT\cache\tdx.sys | C:\Windows\system32\Drivers\tdx.sys
    
    File::
    c:\windows\system32\dds_trash_log.cmd
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  10. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    internet working, programs working :) how does the log look?

    ComboFix 12-02-10.03 - Simon 2012-02-11 4:00.7.4 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.46.1033.18.3327.2642 [GMT 1:00]
    Körs från: G:\ComboFix.exe
    Kommandoväxlar som använts :: c:\users\Simon\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\dds_trash_log.cmd"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\$NtUninstallKB21072$\2418786939\@
    c:\windows\$NtUninstallKB21072$\2418786939\cfg.ini
    c:\windows\$NtUninstallKB21072$\2418786939\Desktop.ini
    c:\windows\$NtUninstallKB21072$\2418786939\L\xadqgnnk
    c:\windows\$NtUninstallKB21072$\3856755330
    c:\windows\system32\dds_trash_log.cmd
    .
    En infekterad kopia av c:\windows\system32\drivers\afd.sys hittades och desinficerades.
    Återställd kopia från - The cat found it :)
    .
    --------------- FCopy ---------------
    .
    c:\windows\ERDNT\cache\tdx.sys --> c:\windows\system32\Drivers\tdx.sys
    .
    (((((((((((((((((((((((( Filer skapade från 2012-01-11 till 2012-02-11 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-11 07:13 . 2012-02-11 07:31 -------- d-----w- C:\Boot
    2012-02-11 03:06 . 2012-02-11 03:08 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2012-02-11 03:06 . 2012-02-11 03:06 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-11 03:00 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
    2012-02-11 02:59 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-09 23:37 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
    2012-02-09 23:36 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2012-02-09 22:09 . 2012-02-09 22:09 -------- d-----w- C:\_OTL
    2012-02-08 17:37 . 2012-02-08 17:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-02-08 13:49 . 2012-02-10 00:53 -------- d-----w- c:\programdata\AVAST Software
    2012-02-08 13:49 . 2012-02-08 13:49 -------- d-----w- c:\program files\AVAST Software
    2012-02-08 13:26 . 2012-02-08 13:26 -------- d-----w- c:\program files\Common Files\Java
    2012-02-08 02:51 . 2012-02-08 13:10 -------- d-----w- c:\programdata\MFAData
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2012-02-08 01:55 . 2012-02-08 01:55 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-08 01:41 . 2012-02-08 01:41 -------- d-----w- c:\program files\Enigma Software Group
    2012-02-08 01:40 . 2012-02-08 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-01-25 18:19 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-25 18:19 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-25 18:19 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-25 18:19 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-25 18:19 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-25 18:19 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-25 18:19 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-25 18:19 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-25 18:19 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-25 18:19 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-11 02:37 . 2011-11-16 00:40 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
    2012-02-10 00:46 . 2012-02-11 02:04 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.svs
    2012-02-07 22:25 . 2011-08-08 19:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-05 17:00 . 2012-01-05 17:00 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\tmpidcrl.dll
    2012-01-05 17:00 . 2011-03-28 17:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-24 04:25 . 2011-12-15 04:45 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
    2011-11-17 05:38 . 2012-01-10 19:28 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-11-16 01:25 . 2011-11-16 01:25 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-11-16 01:25 . 2011-11-16 01:25 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-11-16 01:25 . 2011-11-16 01:25 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-11-16 01:25 . 2011-11-16 01:25 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-11-16 01:25 . 2011-11-16 01:25 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-11-16 01:25 . 2011-11-16 01:25 367104 ----a-w- c:\windows\system32\html.iec
    2011-11-16 01:25 . 2011-11-16 01:25 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-11-16 01:25 . 2011-11-16 01:25 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-11-16 01:25 . 2011-11-16 01:25 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-11-16 01:25 . 2011-11-16 01:25 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-11-16 01:25 . 2011-11-16 01:25 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-16 01:25 . 2011-11-16 01:25 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-11-16 01:25 . 2011-11-16 01:25 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-11-16 01:25 . 2011-11-16 01:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-11-16 01:25 . 2011-11-16 01:25 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-11-16 01:25 . 2011-11-16 01:25 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-11-16 01:16 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-15 23:37 . 2009-11-26 18:25 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
    .
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* tomma poster & legitima standardposter visas inte.
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Facebook Update"="c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-18 137536]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID säkerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2012-1-24 1140632]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\PhotoshopElementsFileAgent.exe [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\PhotoshopElementsDeviceConnect.exe [x]
    R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2010-10-28 98400]
    R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 136176]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-02-20 47360]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-02-11 239168]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    procexp100
    .
    Innehåll i mappen 'Schemalagda aktiviteter':
    .
    2012-02-10 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000Core.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3512059693-629956888-1013197014-1000UA.job
    - c:\users\Simon\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-18 17:26]
    .
    2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 20:56]
    .
    .
    ------- Extra genomsökning -------
    .
    uStart Page = hxxp://www.google.se/
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\clbeh0im.default\
    FF - user.js: extensions.BabylonToolbar_i.id - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.hardId - 3ce818f1000000000000002618f04b04
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15344
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1717:57
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100478
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    .
    **************************************************************************
    .
    Sluttid: 2012-02-11 04:11:08 - datorn startades om.
    ComboFix-quarantined-files.txt 2012-02-11 03:11
    ComboFix2.txt 2012-02-11 02:17
    ComboFix3.txt 2012-02-11 01:20
    ComboFix4.txt 2012-02-11 00:23
    ComboFix5.txt 2012-02-11 02:58
    .
    Före genomsökningen: 34*967*019*520 byte ledigt
    Efter genomsökningen: 34*869*952*512 byte ledigt
    .
    - - End Of File - - B89BE5442FE1130D9A41C747E9E92F8C
     
  11. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Looks good :)

    Now when we everything working (for now....LOL).

    Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =============================================================

    Post MBAM log before going for the next step listed below......

    Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/


    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • Super should automatically the program definitions. If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    • Close SUPERAntiSpyware.
    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    • Open SUPERAntiSpyware.
    • Click on "Preferences" button.
    • Click the "Scanning Control" tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
    • Click the "Home" button to leave the control center screen.
    • Back on the main screen checkmark "Complete scan" and click "Scan your computer".
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Copy and paste the Scan Log results in your next reply.
    • Click Close to exit the program.

    Post SUPERAntiSpyware log.
     
     
  12. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    oki, ill do this on sunday, really have to go now :( but thanks again so far!! you are outstanding! it wasnt just one problem i had,LOL
    cya @ sunday
     
  13. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Oh boy, that was one of the toughest cases.

    Make sure nobody touches your computer.

    BTW I spent couple of months in Malmoe in my college years.
    What part of Sweden are you from?
     
  14. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    Nice, im from north sweden, a town calle Ostersund :)

    here is MBAM :

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Databasversion: v2012.02.12.05

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Simon :: SIMON-PC [administratör]

    2012-02-12 23:02:50
    mbam-log-2012-02-12 (23-02-50).txt

    Skanningstyp: Snabbskanning
    Aktiverade skanningsalternativ: Minne | Start | Register | Filsystem | Heuristik/Extra | Heuristik/Shuriken | PUP | PUM
    Inaktiverade skanningsalternativ: P2P
    Antal skannade objekt: 175252
    Förfluten tid: 3 minut(er), 10 sekund(er)

    Upptäckta minnesprocesser: 0
    (Inga skadliga poster hittades)

    Upptäckta minnesmoduler: 1
    C:\Windows\System32\queuemgr.dll (RootKit.0Access.H) -> Ta bort vid nästa datorstart.

    Upptäckta registernycklar: 0
    (Inga skadliga poster hittades)

    Upptäckta registervärden: 0
    (Inga skadliga poster hittades)

    Upptäckta registerdataposter: 0
    (Inga skadliga poster hittades)

    Upptäckta mappar: 0
    (Inga skadliga poster hittades)

    Upptäckta filer: 1
    C:\Windows\System32\queuemgr.dll (RootKit.0Access.H) -> Ta bort vid nästa datorstart.

    (klar)
     
  15. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    I'm around :)
    Go on....

    Any current issues?
     
  16. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    ok, no its working just fine now :D ok i go on with next step
     
  17. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Cool :)...........
     
  18. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    No internet connection now ofc :), that daamn afd.sys file that keeps getting removed all the time haha.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 02/13/2012 at 00:16 AM

    Application Version : 5.0.1144

    Core Rules Database Version : 8230
    Trace Rules Database Version: 6042

    Scan type : Complete Scan
    Total Scan Time : 00:35:16

    Operating System Information
    Windows 7 Ultimate 32-bit, Service Pack 1 (Build 6.01.7601)
    UAC Off - Administrator

    Memory items scanned : 316
    Memory threats detected : 0
    Registry items scanned : 34243
    Registry threats detected : 8
    File items scanned : 124879
    File threats detected : 6

    Trojan.Agent/Gen-Sirefef
    HKLM\System\ControlSet002\Services\TDX
    C:\WINDOWS\SYSTEM32\DRIVERS\TDX.SYS
    HKLM\System\ControlSet002\Enum\Root\LEGACY_TDX
    HKLM\System\ControlSet003\Services\TDX
    HKLM\System\ControlSet003\Enum\Root\LEGACY_TDX
    HKLM\System\ControlSet004\Services\TDX
    HKLM\System\ControlSet004\Enum\Root\LEGACY_TDX
    HKLM\System\CurrentControlSet\Services\TDX
    HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TDX
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\DTSOFTBUS01.SYS.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\DTSOFTBUS01.SYS.VIR_
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\TDX.SYS.VIR

    Trojan.Agent/Gen-ZAccess
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS.VIR_
     
  19. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Post new FSS log.
     
  20. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    Farbar Service Scanner Version: 10-02-2012
    Ran by Simon (administrator) on 13-02-2012 at 00:44:39
    Running from "C:\Users\Simon\Desktop"
    Microsoft Windows 7 Ultimate Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    tdx Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.
    Checking LEGACY_tdx: Attention! Unable to open LEGACY_tdx\0000 registry key. The key does not exist.


    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.

    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
    Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
    Unable to retrieve ServiceDll of MpsSvc. The value does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.


    Windows Defender:
    =============
    WinDefend Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys
    [2012-02-11 03:59] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5

    Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  21. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Please run Farbar Service Scanner FSS).
    Type the following in the edit box after "Search:".

    tdx.sys

    Click Search Files button and post the log (FSS.txt) it makes to your reply.
     
  22. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    Farbar Service Scanner Version: 10-02-2012
    Ran by Simon (administrator) on 13-02-2012 at 00:55:55
    Microsoft Windows 7 Ultimate Service Pack 1 (X86)

    ************************************************
    ======== Search: "tdx.sys" =========

    C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
    [2009-07-14 00:12] - [2009-07-14 00:12] - 0074240 ____A (Microsoft Corporation) CB39E896A2A83702D1737BFD402B3542

    C:\Windows\ERDNT\cache\tdx.sys
    [2012-02-11 01:22] - [2009-07-14 00:12] - 0074240 ____A (Microsoft Corporation) CB39E896A2A83702D1737BFD402B3542

    ====== End Of Search ======
     
  23. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Download following batch file: http://www.bleepstatic.com/fhost/uploads/0/93-fix.bat
    Double click on it to run the fix.
    Command prompt window will open.
    You should see following message:
    "1 file(s) copied"
    In that case press any key to close command prompt window.
    If you see any error message let me know.

    We also have couple of registry keys missing....

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.
    Double click on mpssvc.reg file and confirm the prompt.
    Double click on tdx.reg file and confirm the prompt.

    Restart computer, check on internet connection, see if you can turn Windows firewall on and post new FSS log.
     
  24. MjuTaS

    MjuTaS TS Rookie Topic Starter Posts: 105

    the 93-fix, 0 files copied, access denied, ECHO is in state OFF
     
  25. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Right click in the batch file, click "Run as Administrator".
    If still no go do the same from safe mode.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.