also @ TechSpot: Sony releases PS4 teaser video on eve of Xbox 720 reveal

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

System Check virus, a lot of problems

Discussion in 'Virus and Malware Removal' started by MjuTaS, Feb 8, 2012.

Post New Reply

Page 8 of 10

MjuTaS Newcomer, in training Posts: 105

ok, no its working just fine now ok i go on with next step

MjuTaS, Feb 12, 2012

#141
Broni Malware Annihilator Posts: 39,307 +175

Cool ...........

Broni, Feb 12, 2012

#142
MjuTaS Newcomer, in training Posts: 105

No internet connection now ofc , that daamn afd.sys file that keeps getting removed all the time haha.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/13/2012 at 00:16 AM

Application Version : 5.0.1144

Core Rules Database Version : 8230
Trace Rules Database Version: 6042

Scan type : Complete Scan
Total Scan Time : 00:35:16

Operating System Information
Windows 7 Ultimate 32-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 316
Memory threats detected : 0
Registry items scanned : 34243
Registry threats detected : 8
File items scanned : 124879
File threats detected : 6

Trojan.Agent/Gen-Sirefef
HKLM\System\ControlSet002\Services\TDX
C:\WINDOWS\SYSTEM32\DRIVERS\TDX.SYS
HKLM\System\ControlSet002\Enum\Root\LEGACY_TDX
HKLM\System\ControlSet003\Services\TDX
HKLM\System\ControlSet003\Enum\Root\LEGACY_TDX
HKLM\System\ControlSet004\Services\TDX
HKLM\System\ControlSet004\Enum\Root\LEGACY_TDX
HKLM\System\CurrentControlSet\Services\TDX
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TDX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\DTSOFTBUS01.SYS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\DTSOFTBUS01.SYS.VIR_
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\TDX.SYS.VIR

Trojan.Agent/Gen-ZAccess
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\AFD.SYS.VIR_

MjuTaS, Feb 12, 2012

#143
Broni Malware Annihilator Posts: 39,307 +175

Post new FSS log.

Broni, Feb 12, 2012

#144
MjuTaS Newcomer, in training Posts: 105

Farbar Service Scanner Version: 10-02-2012
Ran by Simon (administrator) on 13-02-2012 at 00:44:39
Running from "C:\Users\Simon\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: Attention! Unable to open LEGACY_tdx\0000 registry key. The key does not exist.

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Defender:
=============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-11 03:59] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5

Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

MjuTaS, Feb 12, 2012

#145

Broni Malware Annihilator Posts: 39,307 +175

Please run Farbar Service Scanner FSS).
Type the following in the edit box after "Search:".

tdx.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

Broni, Feb 12, 2012

#146

MjuTaS Newcomer, in training Posts: 105

Farbar Service Scanner Version: 10-02-2012
Ran by Simon (administrator) on 13-02-2012 at 00:55:55
Microsoft Windows 7 Ultimate Service Pack 1 (X86)

************************************************
======== Search: "tdx.sys" =========

C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
[2009-07-14 00:12] - [2009-07-14 00:12] - 0074240 ____A (Microsoft Corporation) CB39E896A2A83702D1737BFD402B3542

C:\Windows\ERDNT\cache\tdx.sys
[2012-02-11 01:22] - [2009-07-14 00:12] - 0074240 ____A (Microsoft Corporation) CB39E896A2A83702D1737BFD402B3542

====== End Of Search ======

MjuTaS, Feb 12, 2012

#147
Broni Malware Annihilator Posts: 39,307 +175

Download following batch file: http://www.bleepstatic.com/fhost/uploads/0/93-fix.bat
Double click on it to run the fix.
Command prompt window will open.
You should see following message:
"1 file(s) copied"
In that case press any key to close command prompt window.
If you see any error message let me know.

We also have couple of registry keys missing....

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on mpssvc.reg file and confirm the prompt.
Double click on tdx.reg file and confirm the prompt.

Restart computer, check on internet connection, see if you can turn Windows firewall on and post new FSS log.

Broni, Feb 12, 2012

#148
MjuTaS Newcomer, in training Posts: 105

the 93-fix, 0 files copied, access denied, ECHO is in state OFF

MjuTaS, Feb 12, 2012

#149
Broni Malware Annihilator Posts: 39,307 +175

Right click in the batch file, click "Run as Administrator".
If still no go do the same from safe mode.

Broni, Feb 12, 2012

#150
MjuTaS Newcomer, in training Posts: 105

worked as admin, going on with next step

MjuTaS, Feb 12, 2012

#151
Broni Malware Annihilator Posts: 39,307 +175

OK.........................

Broni, Feb 12, 2012

#152
MjuTaS Newcomer, in training Posts: 105

still no internet, new ffs log:

Farbar Service Scanner Version: 10-02-2012
Ran by Simon (administrator) on 13-02-2012 at 01:20:43
Running from "C:\Users\Simon\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: Attention! Unable to open LEGACY_tdx\0000 registry key. The key does not exist.

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Defender:
=============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-11 03:59] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5

Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

MjuTaS, Feb 12, 2012

#153
MjuTaS Newcomer, in training Posts: 105

can not turn windows firewall on

MjuTaS, Feb 12, 2012

#154
Broni Malware Annihilator Posts: 39,307 +175

Something keeps removing that file and registry keys (now we have two of them missing).
Do you still have AVG or Avast installed and running?

Broni, Feb 12, 2012

#155
MjuTaS Newcomer, in training Posts: 105

strange, uninstalled both avg and avast. only thing running is superantispyware, it started up auto when i restart, but it shouldnt do anything unless i scan with it?

MjuTaS, Feb 12, 2012

#156
Broni Malware Annihilator Posts: 39,307 +175
OK, we have to redo some scans. I don't like it.

You may have some of those tools already there.

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

============================================================

Download Bootkit Remover to your Desktop.

Unzip downloaded file to your Desktop.

Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.

=============================================================

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.
Broni, Feb 12, 2012

#157
MjuTaS Newcomer, in training Posts: 105

seems like my comp cant stay out of trouble..

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 32
-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;
Press any key to quit...

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-13 01:37:42
-----------------------------
01:37:42.033 OS Version: Windows 6.1.7601 Service Pack 1
01:37:42.033 Number of processors: 4 586 0x402
01:37:42.033 ComputerName: SIMON-PC UserName: Simon
01:37:42.298 Initialize success
01:37:44.794 AVAST engine download error: 0
01:37:56.307 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
01:37:56.307 Disk 0 Vendor: WDC_WD5001AALS-00L3B2 01.03B01 Size: 476940MB BusType: 3
01:37:56.338 Disk 0 MBR read successfully
01:37:56.338 Disk 0 MBR scan
01:37:56.354 Disk 0 Windows 7 default MBR code
01:37:56.354 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100 MB offset 2048
01:37:56.369 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 79900 MB offset 206848
01:37:56.385 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 396937 MB offset 163842048
01:37:56.385 Disk 0 scanning sectors +976769024
01:37:56.447 Disk 0 scanning C:\Windows\system32\drivers
01:38:00.222 File: C:\Windows\system32\drivers\cdrom.sys **SUSPICIOUS**
01:38:06.759 Disk 0 trace - called modules:
01:38:06.775 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8d304fc0]<<
01:38:06.775 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x875f8ac8]
01:38:06.790 3 CLASSPNP.SYS[8d26f59e] -> nt!IofCallDriver -> [0x879354a0]
01:38:06.790 \Driver\00000458[0x879355d8] -> IRP_MJ_CREATE -> 0x8d304fc0
01:38:06.790 Scan finished successfully
01:38:33.076 Disk 0 MBR has been saved successfully to "C:\Users\Simon\Desktop\MBR.dat"
01:38:33.092 The log file has been saved successfully to "C:\Users\Simon\Desktop\aswMBR2.txt"

ListParts by Farbar
Ran by Simon on 13-02-2012 at 01:45:41
Windows 7 (X86)
Running From: C:\Users\Simon\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 24%
Total physical RAM: 3327.18 MB
Available physical RAM: 2501.11 MB
Total Pagefile: 6652.64 MB
Available Pagefile: 5604.12 MB
Total Virtual: 2047.88 MB
Available Virtual: 1954.29 MB

======================= Partitions =========================

1 Drive c: (System) (Fixed) (Total:78.03 GB) (Free:31.95 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (Backup) (Fixed) (Total:387.63 GB) (Free:148.65 GB) NTFS
5 Drive g: () (Removable) (Total:3.93 GB) (Free:3.93 GB) FAT32

Disk nr Status Storlek Ledigt Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk nr 0 Online 465 G B 1024 K B
Disk nr 1 Online 4036 M B 0 B

DiskPart avslutas...

Partitions of Disk Disk nr 0 Online 465 G B 1024 K B :
===============

Argumenten som angetts f”r kommandot „r inte giltiga.
Om du vill ha mer information om kommandot skriver du: HELP SELECT DISK

Ingen disk har valts.

Partitions of Disk Disk nr 1 Online 4036 M B 0 B :
===============

Argumenten som angetts f”r kommandot „r inte giltiga.
Om du vill ha mer information om kommandot skriver du: HELP SELECT DISK

Ingen disk har valts.

****** End Of Log ******

MjuTaS, Feb 12, 2012

#158
MjuTaS Newcomer, in training Posts: 105

i could remove the missing files from the super anti spyware quarantine, but thats maybe not good, i dunno

MjuTaS, Feb 12, 2012

#159
Broni Malware Annihilator Posts: 39,307 +175
One system file may be infected.

One question.
Are you behind a router?

If so, reset it.
Turn the computer off.

If you don't use router let me know.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
NOTE. Simple router disconnecting from a power source will NOT do.
Restart computer and check for redirections.

NOTE. You may need to re-check your router security settings, as described HERE

Then....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Feb 12, 2012

#160

Page 8 of 10

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.