# rootkit.tdss C:\Windows\System32\tdlcmd.dll & Constant Re-Directing by IE8



## SteveReeves (Nov 30, 2009)

I need help!!!

I am unable to remove the virus listed above (e.g. rootkit.tdss C:\Windows\System32\tdlcmd.dll). I am running Vista 32bit with latest updates on a Dell Inspirion 1420 (Laptop)

I have tried the following:
Malware Antimalware - detects the virus; gives the impression that it's be removed. But after reboot, it's still there.
PC Tools Spyware - same as above.

SuperAntispyware - doesn't find it
Spy Search & Destroy - doesn't find it.
Dr. Web - doesn't find it, but contiues to flag certain processes as backdoor.tdss -535 in memory. It claims that it's eradicated. But subsequent runs of Dr. Web produce different processes infected by the same backdoor.tdss -535 suppossedly eradicated.

Laptop is running sluggish and slow! Need help!!!!


----------



## NeonFx (Oct 22, 2008)

Hello there  Welcome to the TSG Forums. 
My name is *NeonFx*. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:


The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

*Step 1*

Download *OTS* to your Desktop


Close *ALL OTHER PROGRAMS*.
Double-click on *OTS.exe* to start the program.
Check the box that says *Scan All Users*
Under Additional Scans check the following:

Reg - Desktop Components
Reg - Disabled MS Config Items
Reg - NetSvcs
Reg - Shell Spawning
Reg - Uninstall List
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Please copy the following into the Custom Scans box at the bottom


```
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
nvatabus.sys
si3112.sys
viadsk.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
/md5stop
```

Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.

Please *attach* the log in your next post. To do so click on the blue *"Reply"* button or *"Go Advanced"* and click on the "*Manage Attachments*" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

*Step 2*

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the *Sysprot.exe* program.


Click on the *Log* tab.
In the *Write to* log box select *All* items.
Place a checkmark next to *Hidden Objects Only*
Click on the *Create Log* button on the bottom right.
After a few seconds a new Window should appear.
Make sure *Scan all drives* is selected and click on the Start button. 
_(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)_
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. *Open the text file* and copy/paste the log here.


----------



## SteveReeves (Nov 30, 2009)

Thx for your assistance in advance. Per your request,

I have attached the OTS Log and copy-pasted the Sysprot log / results below:

Also, I am getting the following message from McAfee intermittently:

"McAfee has automatically blocked and removed a Trojan.
About this Trojan
Detected: DNSChanger!ca (Trojan), DNSChanger!ca (Trojan)
Location: C:\Windows\System32\tdlwsp.dll"

SysProt Results
************
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 97068000
Module End: 97126000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateProcess
Address: 887A9CDC
Driver Base: 887A0000
Driver End: 887D7000
Driver Name: \SystemRoot\system32\drivers\PCTCore.sys
Function Name: ZwCreateProcessEx
Address: 887A9ECE
Driver Base: 887A0000
Driver End: 887D7000
Driver Name: \SystemRoot\system32\drivers\PCTCore.sys
Function Name: ZwTerminateProcess
Address: 96F33DF0
Driver Base: 96F2B000
Driver End: 96F50000
Driver Name: \??\C:\Utilities\SUPERAntiSpyware\SASKUTIL.sys
Function Name: ZwCreateUserProcess
Address: 887AA0D6
Driver Base: 887A0000
Driver End: 887D7000
Driver Name: \SystemRoot\system32\drivers\PCTCore.sys
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwYieldExecution
At Address: 8265F982
Jump To: 96FBA7CE
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwUnmapViewOfSection
At Address: 82844709
Jump To: 96FBA7F8
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwSetInformationProcess
At Address: 82848474
Jump To: 96FBA77C
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwSetContextThread
At Address: 828C6253
Jump To: 96FBA790
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwRestoreKey
At Address: 828867B2
Jump To: 96FBA839
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwReplaceKey
At Address: 828879B6
Jump To: 96FBA84D
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwProtectVirtualMemory
At Address: 8284DE7D
Jump To: 96FBA7B8
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenThread
At Address: 8285009A
Jump To: 96FBA728
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenProcess
At Address: 82854B48
Jump To: 96FBA714
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwNotifyChangeKey
At Address: 827F35B5
Jump To: 96FBA825
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwMapViewOfSection
At Address: 82844446
Jump To: 96FBA7E2
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateFile
At Address: 82875D59
Jump To: 96FBA7A4
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: PsSetContextThread
At Address: 828C6253
Jump To: 96FBA790
Module Name: C:\Windows\system32\drivers\mfehidk.sys
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: JB_LAPTOP:51450
Remote Address: CDS45.LON9.MSECN.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:51447
Remote Address: A96-17-146-57.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: JB_LAPTOP:51446
Remote Address: 74.217.50.10:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: JB_LAPTOP:51445
Remote Address: 74.217.50.10:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: JB_LAPTOP:51444
Remote Address: GW-IN-F149.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: JB_LAPTOP:51443
Remote Address: NZTV.VGS.UNTD.COM:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: JB_LAPTOP:51440
Remote Address: A96-6-45-58.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: JB_LAPTOP:51436
Remote Address: 208.71.121.24:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: JB_LAPTOP:51317
Remote Address: 38.118.85.50:HTTP
Type: TCP
Process: C:\Program Files\Windows Sidebar\sidebar.exe
State: ESTABLISHED
Local Address: JB_LAPTOP:51266
Remote Address: CYCLOPS.DCA.UNTD.COM:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: ESTABLISHED
Local Address: JB_LAPTOP:50903
Remote Address: YI-IN-F105.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50869
Remote Address: 24.143.193.40:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50868
Remote Address: 24.143.193.40:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50864
Remote Address: YI-IN-F102.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50850
Remote Address: YI-IN-F105.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50841
Remote Address: YW-IN-F100.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50837
Remote Address: GW-IN-F139.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50561
Remote Address: A96-17-44-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50548
Remote Address: WWW.TECHGUY.ORG:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50547
Remote Address: GX-IN-F138.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50538
Remote Address: GW-IN-F156.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50525
Remote Address: GX-IN-F138.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50521
Remote Address: 208.48.254.97:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50518
Remote Address: GW-IN-F149.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50507
Remote Address: GW-IN-F156.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:50505
Remote Address: GW-IN-F149.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:49953
Remote Address: 82.99.19.52:HTTP
Type: TCP
Process: C:\Security Files\Lavasoft\Ad-Aware\AAWService.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:49951
Remote Address: 82.99.19.52:HTTP
Type: TCP
Process: C:\Security Files\Lavasoft\Ad-Aware\AAWService.exe
State: CLOSE_WAIT
Local Address: JB_LAPTOP:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: JB_LAPTOP:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: JB_LAPTOP:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING
Local Address: JB_LAPTOP:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\spoolsv.exe
State: LISTENING
Local Address: JB_LAPTOP:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING
Local Address: JB_LAPTOP:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: JB_LAPTOP:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: JB_LAPTOP:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING
Local Address: JB_LAPTOP:6646
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
State: LISTENING
Local Address: JB_LAPTOP:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: JB_LAPTOP:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: JB_LAPTOP:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: JB_LAPTOP:64052
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:6646
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
State: NA
Local Address: JB_LAPTOP:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: JB_LAPTOP:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: JB_LAPTOP:64051
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:6646
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
State: NA
Local Address: JB_LAPTOP:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: JB_LAPTOP:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: JB_LAPTOP:64053
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:63207
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA
Local Address: JB_LAPTOP:61553
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA
Local Address: JB_LAPTOP:60784
Remote Address: NA
Type: UDP
Process: C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
State: NA
Local Address: JB_LAPTOP:57760
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Sidebar\sidebar.exe
State: NA
Local Address: JB_LAPTOP:57240
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA
Local Address: JB_LAPTOP:56043
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA
Local Address: JB_LAPTOP:49855
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Sidebar\sidebar.exe
State: NA
Local Address: JB_LAPTOP:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:64048
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:LLMNR
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: JB_LAPTOP:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: G:\WD Backups\Memeo\Inspiron 1420 Backup (as of 2009-02-22)\C_\Users\JB\Favorites\TroubleShooting\Windows Vista\Backups (Registry, etc)\You cannot open an .msg e-mail message file in Outlook 2007 if the file contains many attachments or many recipients.ur
Status: Hidden
Object: G:\WD Backups\Memeo\Inspiron 1420 Backup (as of 2009-02-22)\C_\Users\JB\Desktop\Unused Icons\.Create Window XP Boot Disk Download Windows CD Pro Boot Disc Professional Home Free-Best Computer Online Store Houston Buy Discount Prices Texas-Directron.com.ur
Status: Hidden
Object: G:\WD Backups\Memeo\Inspiron 1420 Backup (as of 2009-02-22)\C_\Users\JB\Desktop\Unused Icons\HomeLink; Home automation,Wireless control system, universal transceiver, RF control, Home security, smart home, vehicle to home, home automation, remote control 
Status: Hidden
Object: G:\WD Backups\Memeo\Inspiron 1420 Backup (as of 2009-02-22)\C_\Users\JB\Desktop\Unused Icons\Intuit QuickBooks Premier Industry Edition 2009 keygen crack patch key serial download free licence keymaker activator generator fix easy-share megaupload rapidsh
Status: Hidden
Object: G:\WD Backups\Memeo\Inspiron 1420 Backup (as of 2009-02-22)\C_\Users\JB\Documents\Inspiron 1420 Backup Files\Favorites\TroubleShooting\DCT3416-I Comcast HD DVR\Is recording with my VCR still possible now that I have a Motorola DCT3416 DVR and a Comcast HD
Status: Hidden
Object: G:\WD Backups\Memeo\Inspiron 1420 Backup (as of 2009-02-22)\C_\Users\JB\Documents\Inspiron 1420 Backup Files\Favorites\TroubleShooting\File Converters\PowerISO - Create, Edit, Compress, Encrypt, Split, Mount, Extract ISO file, ISO-BIN converter, Virtual D
Status: Hidden
Object: G:\WD Backups\Memeo\Inspiron 1420 Backup (as of 2009-02-22)\C_\Users\JB\Documents\Inspiron 1420 Backup Files\Favorites\TroubleShooting\IEHistoryX 1.6.3.15 download keygen serial crack rapidshare megaupload full version nocd unlock key generator activation
Status: Hidden
Object: G:\WD Backups\Memeo\Inspiron 1420 Backup (as of 2009-02-22)\C_\Users\JB\Documents\Inspiron 1420 Backup Files\Favorites\TroubleShooting\Outlook 2007\You receive a File access is denied error message when you try to import a .pst file from a CD-ROM to Outlo
Status: Hidden
Object: D:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\SPP
Status: Access denied
Object: C:\System Volume Information\SystemRestore
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\Windows Backup
Status: Access denied
Object: C:\System Volume Information\{0bfb0cc8-d887-11de-915b-001aa0fd0b9c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{3443189f-d76e-11de-a693-001aa0fd0b9c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{5d4a93fd-ddcd-11de-8122-001aa0fd0b9c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{72d002d0-d927-11de-a509-001aa0fd0b9c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{abd4d6a7-d708-11de-a79c-001aa0fd0b9c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{abd4d6bb-d708-11de-a79c-001aa0fd0b9c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl
Status: Access denied


----------



## NeonFx (Oct 22, 2008)

Alright. I can see the bugger. Please do the following:

*NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.*

Download ComboFix from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*


*Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. *Note*: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : *Disabling Security Programs*
Double click on ComboFix.exe & follow the prompts.

*Note:* Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

*Notes:*

1.* Do not mouse-click Combofix's window while it is running. That may cause it to stall.*
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of *ALL* CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea. 
4. *CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.*


----------



## SteveReeves (Nov 30, 2009)

I had to restart ComboFix.exe several times because after i disabled antivirus software (e.g. McAfee, Doctor Spyware, etc), ComboFix indicated rootkit activity and prompted to reboot the machine. After re-boot, McAfee restarted during ComboFix preparing to run. I waited a while and thought that ComboFix had stalled then re-booted and re-disabled the antivirus software. Process repeated - that is ComboFix detected rootkit activity and prompted to reboot. This time, I stepped away from the machine and when i came back, it had finished. However, i was unable to located a C:\ComboFix.txt file to post! Also, what did you see in the previous logs - just curious?. Please advise as to next steps.


----------



## NeonFx (Oct 22, 2008)

The instructions for truly disabling McAfee should be similar to this:

MCAFEE SECURITY CENTER 7.1
Please navigate to the system tray and double-click the taskbar icon to open Security Center.


Click Advanced Menu (bottom mid-left). Click Configure (left). Click Computer & Files (top left). VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.
Do the same via Internet & Network for Firewall Plus.

After doing that please run ComboFix.exe again.

Also, please attach C:\QooBox\Combofix-quarantined-files.txt for me in your next reply.

I saw signs similar to what I've seen in other systems with the same symptoms.


----------



## SteveReeves (Nov 30, 2009)

After running ComboFix.exe

I just ran PC tools Spyware Doctor and got the following:
Application.NirCmd - Info &PUAs
C:\Combofix\.....in registry, files, etc. for a total of 469 infections
Rootkit.TDSS
C:\windows\system32\tdlcmd.dll
also, McAfee Virus scanner flagged ComboxFix.exe as a Artemis virus.
Help!


----------



## SteveReeves (Nov 30, 2009)

I will post results of re-running ComboFix.exe as soon as i have them....


----------



## NeonFx (Oct 22, 2008)

We could try using something different if McAfee insists on treating it as a virus. Let me know how it goes.


----------



## SteveReeves (Nov 30, 2009)

I was unable to find the combofix.txt file in the C:\combofix.txt. Nor did I see the other file (e.g. C:\QooBox\Combofix-quarantined-files.txt). I did see the directory but no Combofix-quarantined-files.txt. However, i did see an icon in my root directory called combofix. When i attempted to open it, it showed all of my drives with my C: drive highlighted in Red. I did double-click on it and it just opened to show the contents of the root directory. Please advise. Btw, I don have the folder options set to "show all files including hidden & system".


----------



## NeonFx (Oct 22, 2008)

Let's try the following.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.

Right click on the Avenger.zip folder and select "Extract All..."
 Follow the prompts and extract the *avenger* folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):


```
Files to move:
C:\Drivers\storage\R154200\iastor.sys | C:\Windows\System32\drivers\iaStor.sys
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, open the avenger folder and *start The Avenger program* by clicking on its icon.


 Right click on the window under *Input script here:*, and select Paste.
 You can also click on this window and press (*Ctrl+V*) to paste the contents of the clipboard.
 Click on *Execute*
 Answer "*Yes*" twice when prompted.

4. *The Avenger will automatically do the following*:

It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Delete*", The Avenger will actually *restart your system twice.*)
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
5. Please *copy and paste* or *attach* the contents of *c:\avenger.txt* into your reply.


----------



## SteveReeves (Nov 30, 2009)

see attached Log File. Btw, the machine only rebooted once.


----------



## SteveReeves (Nov 30, 2009)

Files request are attached. I am unable to launch IE8 (e.g. I double-click on the icon and nothing happens) after running ComboFix. Please advise.


----------



## NeonFx (Oct 22, 2008)

If you go to C:\Program Files\Internet Explorer\ and double click on*iexplore.exe* does Internet Explorer start normally?

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *Notepad* (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:


```
Folder::
c:\progra~2\zoripuzo
c:\progra~2\hutajebo
c:\progra~2\beheluze
c:\progra~2\yomojoji
c:\progra~2\rosegoye
c:\progra~2\fukeveho
c:\progra~2\kiweyewi

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
```
_NOTE: Make sure WordWrap is *unchecked* in Notepad by clicking on the "Format" menu icon. _

Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.


----------



## SteveReeves (Nov 30, 2009)

No double clickingon C:\Program Files\Internet Exploer\iexplorer.exe did not work. But prior to hearing back from you I ran CCleaner and later the CFScript.txt when i did here back from you. IE8 appears to be working w/o having to run as admin - albeit it appears slow to launch (either directly or via links where it is the default browser). I have attached the second run of ComboFix. I pulled this from C:\ComboxFix.txt. I'm assuming that this one over wrote the first one. Please advise as to next steps.


----------



## NeonFx (Oct 22, 2008)

Sorry for the delay in getting back to you. I didn't have any time to review logs yesterday. Other than the IE being slow to boot are you having any more problems?

*STEP 1*

Run OTS


Under the *Paste Fix Here* box on the right, paste in the contents of following code box


```
[Unregister Dlls]
[Registry - Safe List]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{373c0bc1-cafe-442f-8dd4-7139773b89bb}" [HKLM] -> Reg Error: Key error. [buyihivas]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> "{BD962BAB-F429-460F-805B-B137087AB623}" [HKLM] -> Reg Error: Key error. []
[Empty Temp Folders]
[ClearAllRestorePoints]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in *C:\_OTS\MovedFiles\<date>_.log* where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally. 
If it seems to get stuck, give it some time. It's probably still working.

*STEP 2*

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

Reboot your machine when that's done.

*STEP 3*

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions.

*2.* To *optimize scanning time* and produce a more sensible report for review:


Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click *HERE* to see how to disable the most common antivirus programs.

*3.* Click *Run* at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.


Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:


[*]Spyware, adware, dialers, and other riskware
[*]Archives
[*]E-mail databases

Click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View report...* at the bottom.
Click the *Save report...* button.









Change the *Files of type* dropdown box to *Text file (.txt)* and name the file *KasReport.txt* to save the file to your desktop so that you may post it in your next reply

*STEP 4*

Run *OTS* again and click on the *Quick Scan* button at the top. Attach the results of this scan in your next reply.


----------



## SteveReeves (Nov 30, 2009)

All of my settings are gone! There's nothing in All progams - what's happened? I will attach the log from OTS. Should I continue with step 2? Please advise ASAP! btw, IE prior to this run was working ok....


----------



## NeonFx (Oct 22, 2008)

I'm sorry hear that. Let's try to figure out what happened.

Please run *OTS.exe* and under the *Custom Scans* section please paste in the following:

*C:\_OTS\*.* /s*

Then click on the *Quick Scan* button. Attach the results of this scan to your next reply for me.

It might be too large to attach here. If so, please attach it to http://drop.io instead.


----------



## SteveReeves (Nov 30, 2009)

do you want me to stop the scan by *Kaspersky Online Scanner* 
? Thus far it's found 1 threat and 1 infected object. It's been running for an hour and is only 4% done. Please advise.


----------



## NeonFx (Oct 22, 2008)

We might as well let that run to completion. Run the OTS Custom Scan after that's done.


----------



## SteveReeves (Nov 30, 2009)

Any idea on how long this will run? I have 160GB Local HD(e.g. C:\) and 500GB External Drive attached. If you want me to continue, I will wait until it fininishes and execute the OTS.exe under custom scans as you indicated. Please advise.


----------



## NeonFx (Oct 22, 2008)

Let's do something different after the Kaspersky scan.

When you complete the Kaspersky scan (it will take quite a while) please run *OTS.exe *and under the *Custom Scans* section please paste in the contents of the following code box:


```
hklm\software\microsoft\windows\currentversion\explorer\shell folders
hkcu\software\microsoft\windows\currentversion\explorer\shell folders
hklm\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
set /c
C:\_OTS\*.* /s
```
Then click on the *Quick Scan* button. Attach the results of this scan to your next reply. If it is too large to attach, please use http://drop.io instead.


----------



## SteveReeves (Nov 30, 2009)

I have attached requested files / results. Please advise.


----------



## NeonFx (Oct 22, 2008)

Thank you, I'm consulting with others on your issue. 

Could you give me an update on all of the symptoms you notice? Please let me know what seems to be missing as well.


----------



## SteveReeves (Nov 30, 2009)

I am now unable to boot normally....receiving a message the indicates my user profile is not recognized! I had to boot on in safe mode submit this reply. Also, in addition to my vista settings (e.g. progams that are usually present via the start button are gone, etc). My wireless network connetction is now pompting for the WEP network key - which i done have - looking for it.... I need help restoring my vista settings. Please advise.


----------



## NeonFx (Oct 22, 2008)

Hi Steve.

I am very sorry to have to say this but there is really nothing we can do to restore your computer to the state it was in before we ran that tool. We have discovered the source of the problem and there's no easy way to say this but as a result of the problem a whole lot of files have been deleted from your system.

Just about everything in your User folders has been deleted as a result of a procedure in the tool that we used. The tool attempts to delete all the temporary files off your system to clean it up a bit. Because of a corrupt setting in your operating system's registry, the tool essentially became confused and started deleting everything instead. No backup of this information was created.

The bug has been corrected by the developer so that this will not happen again in the future but in your case there is nothing we can do to easily recover your lost data.

A lot of the Software on your system may have had necessary files in these folders and as a result will not function as they should. You could reinstall the software but there is always the chance that something won't run as it should because of it. Your only real option to fix this problem properly is to perform a clean install of your operating system.

This entails erasing everything that is on your harddrive by formatting it and reinstalling Windows. You can find a good tutorial on how to do that HERE. The good thing about performing a clean install is that all the problems you've been having with the Operating System will be resolved as it will make your system seem like new.

You might still be able to recover some of the deleted files using some third party recovery tools. Recovering the files will not solve this problem, but you can at least attempt to recover those files which are important to you. If there are important files that you need to recover you should look into this further. There are many options out there. I have no experience with any of them and therefore cannot recommend any from personal experience but you can look at reviews for various options at different websites. See HERE and HERE for good articles describing what some of your options are.

To allow you to boot into Normal mode you can try creating a new user as described by Microsoft at this website . If it works it should allow enough access to your system to backup whatever data you can find/recover. I cannot guarantee that creating a new user will help, but it might. Please note that for file recovery to work properly you have to not do anything to a system until after you've recovered the files because of how it all works. Creating a new user might place new data on top of the old data rendering it unrecoverable.

Should you need assistance with the file recovery or with a clean install of your system (obtaining the necessary drivers for example) you should create a new topic in the Windows Vista forum where you will receive better assistance with those topics.

I am truly sorry about this,

NeonFx


----------



## SteveReeves (Nov 30, 2009)

Can you contact one of your peers / volunteers in the windows vista forum to assist as I don't have any experience with this. That way you can explain whats happened and I can begin rebuilding my system ASAP.


----------



## TerryNet (Mar 23, 2005)

Probably best to start a new thread in the Vista forum. Give a short summary and reference this thread, in particular posts 25 and 26.

*EDIT*: for those wishing to help or follow along here is the new thread.


----------



## SteveReeves (Nov 30, 2009)

I'm back! I have restore my machine per my PM. What are the next steps?


----------



## NeonFx (Oct 22, 2008)

Excellent news. I guess I should have asked if you had a backup 

Please stick to the forums and only use the PM system for private conversations.

here's what you said in your PM:



> *Able to Restore My MachineFrom a backup*
> Some good news! I was able to restore my machine from a from an earlier backup. I lost some data, but not all of my programs. My backup is approximately 12 to 15 days old. Where do we start to resolve the viruses on my machine?


Also, is there a reason you think your system is infected?


----------



## SteveReeves (Nov 30, 2009)

As in the original post, I believe that I was infected prior to the backup and became more apparent as days progressed after the backup. That's when I submitted the post. I was fortunate in that I did have a backup albeit it's not current and possibly infected. What are the next steps?


----------



## NeonFx (Oct 22, 2008)

Alright. Let's start over. Please follow these instructions carefully:

*Step 1*

Download *OTS* to your Desktop


Close *ALL OTHER PROGRAMS*.
Double-click on *OTS.exe* to start the program.
Check the box that says *Scan All Users*
Under Additional Scans check the following:

Reg - Desktop Components
Reg - Disabled MS Config Items
Reg - NetSvcs
Reg - Shell Spawning
Reg - Uninstall List
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Please copy the following into the Custom Scans box at the bottom


```
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
nvatabus.sys
si3112.sys
viadsk.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
/md5stop
```

Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.

Please *attach* the log in your next post. To do so click on the blue *"Reply"* button or *"Go Advanced"* and click on the "*Manage Attachments*" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

*Step 2*

Download the *GMER Rootkit Scanner*. Unzip it to your Desktop.

*Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.*

Double-click *gmer.exe*. The program will begin to run.

***Caution***
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click *NO*
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is *un-checked*.
Now click the Scan button.
_Once the scan is complete, you may receive another notice about rootkit activity._
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "*GMER.txt*"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


----------



## SteveReeves (Nov 30, 2009)

See attached results


----------



## NeonFx (Oct 22, 2008)

Your computer was infected by a rootkit you downloaded off of LimeWire. Did you install these after the backup was made or before?

Please delete these two files if there:

G:\Downloads\Crackz\MultiMedia\LimeWire\v5.3.6\*Lavasoft_Ad-Aware_2009_Pro_v8.rar*
G:\Downloads\Crackz\LiveWire Pro\Programs\*Slysoft AnyDVD V6.5.5.9 + Reg Crack [2009].zip*

Please also uninstall the programs from your system. I see evidence that both are on your system.

There is no reason to download cracked versions of security programs. There are free programs that perform just fine. Peer to Peer networks are one of the principal methods malware uses to spread.

Download *CKScanner* from *here*

*Important :* Save it to your desktop.


Doubleclick CKScanner.exe and click *Search For Files*.
After a very short time, when the cursor hourglass disappears, click *Save List To File*.
A message box will verify that the file is saved.
Double-click the *CKFiles.txt* icon on your desktop and copy/paste the contents in your next reply.

After doing that, please run *OTS.exe* again and click on the *Quick Scan *button. Attach the results of this scan to your next reply.


----------



## SteveReeves (Nov 30, 2009)

I deleted files as you requested and uninstalled s/w. I do not know if this s/w was installed prior to the backup or after. The OTS file was done using the "Quick Scan" button. The above files are attached. Please advise as to next steps.


----------



## NeonFx (Oct 22, 2008)

Alright. We're almost done. Have you noticed any new symptoms?

*STEP 1*

Run OTS


Under the *Paste Fix Here* box on the right, paste in the contents of following code box


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{373c0bc1-cafe-442f-8dd4-7139773b89bb}" [HKLM] -> Reg Error: Key error. [buyihivas]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> "{BD962BAB-F429-460F-805B-B137087AB623}" [HKLM] -> Reg Error: Key error. []
[Files/Folders - Unicode - All]
NY -> C:\Windows\System32\?á???á?á?á?á?á?á -> C:\Windows\System32\&#59888;á&#20189;&#30605;&#59840;á&#59876;á&#59880;á&#59872;á&#60168;á&#60184;á
NY -> C:\Windows\System32\?á???á?á?á?á?á?á -> C:\Windows\System32\&#59888;á&#20189;&#30605;&#59840;á&#59876;á&#59880;á&#59872;á&#60168;á&#60184;á
[Alternate Data Streams]
NY -> @Alternate Data Stream - 368 bytes -> C:\Users\JB\AppData\Local\desktop.ini:722b2b1c349a06abf0e866180e5a7e63
[Custom Items]
:files
c:\progra~2\zoripuzo
c:\progra~2\hutajebo
c:\progra~2\beheluze
c:\progra~2\yomojoji
c:\progra~2\rosegoye
c:\progra~2\fukeveho
c:\progra~2\kiweyewi
:end
[ClearAllRestorePoints]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in *C:\_OTS\MovedFiles\<date>_.log* where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally. 
If it seems to get stuck, give it some time. It's probably still working.

*STEP 2*

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

Reboot your machine when that's done.

*STEP 3*

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions.

*2.* To *optimize scanning time* and produce a more sensible report for review:


Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click *HERE* to see how to disable the most common antivirus programs.

*3.* Click *Run* at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.


Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

[*]Spyware, adware, dialers, and other riskware
[*]Archives
[*]E-mail databases

Click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View report...* at the bottom.
Click the *Save report...* button.









Change the *Files of type* dropdown box to *Text file (.txt)* and name the file *KasReport.txt* to save the file to your desktop so that you may post it in your next reply

*STEP 4*

Run *OTS* again and click on the *Quick Scan* button at the top. Attach the results of this scan in your next reply.[/quote]


----------



## SteveReeves (Nov 30, 2009)

Ok, about to run OTS; problem which deleted key files fixed - right?


----------



## NeonFx (Oct 22, 2008)

It's fixed, but I didn't tell OTS to delete the temp files just in case. You're good to go.


----------



## SteveReeves (Nov 30, 2009)

The machine appeared to be running better - but that's happend before me contacting you. See status below:
I completed step 1 - see attached results. However, the Kaspersky scan - Step 3 was taking a long time - so I allowed it to run overnight. It did not complete. It looks like it stop / "hung" after 9 hours. So, I'm restarting. Also, when we started this troubleshooting, you had me run ComboFix which found one of the problems on the machine (e.g. c:\windows\system32\tdlcmd.dll). Since you did not have me re-run that tool after I restored the Hard drive, can we be certain that this virus is no longer on the machine? See Posts # 13


----------



## NeonFx (Oct 22, 2008)

I see no evidence of it being on your system but if it was still there the Kaspersky scan would tell us. I don't want to run ComboFix unless we have to because it does a whole lot more than just hunt down bad files.


----------



## SteveReeves (Nov 30, 2009)

Sorry for the delay, but the Kaspersky scan took a long time and I had to restart it at least once. See attachments. Please advise as to next steps.


----------



## NeonFx (Oct 22, 2008)

You're looking fine my friend. Have you noticed any symptoms?

We'll need to clear out your old system restore backups just in case you're keeping a copy of the infection there. Follow the instructions HERE to do that.

You might also want to do away with your backups in that backup software you're using and create a new, clean, backup.

Are you ready to close this up?


----------



## SteveReeves (Nov 30, 2009)

Yes! I did notice last night that IE8 was "crawling" (i.e. slow as time in terms of loading webpages). At the time I was not running the Kapersky scan. All I had open were IE8 windows....After we're done, I'll need a good antispware / malware pkg. I'm currently using McAfee, that doesn't appear to be getting the job done if toolkits, and other types of viruses were on my machine. But, I'll get your recommendation later. What are our next steps?


----------



## SteveReeves (Nov 30, 2009)

btw, I forgot to ask you this. While rebooting I saw the following message "lsdelete not found during boot" in DOS before Vista started. I did a search of the registry for lsdelete and found C?\Windows\system32\lsdelete.exe. Also a number of references to a key BootExecute with a value of autocheck lsdelete". Please advise.


----------



## NeonFx (Oct 22, 2008)

I noticed the lsdelete problem in your first ComboFix report. I subsequently decided it had to do with how your registry seems to be corrupt in a number of places. Remember that the culprit of the problem we had with OTS was not a bug in the program but that your registry was found to be corrupted in one area and that that caused OTS to get confused. It's very possible that other areas of the registry are affected in similar ways and the symptoms of these corruptions will probably not even be noticeable in the future. 

That is why I believed a complete reformat and reinstall of your operating system was the best idea over attempting to recover your lost files. 

We can fix that one problem right now if you like but you should be aware that there may be problems that we can't identify at this time. If you find that you notice problems every so often that you can't explain this would probably explain those. 

Where in the registry did you find "C?\Windows\system32\lsdelete.exe" ?


----------



## SteveReeves (Nov 30, 2009)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\717593742EB9D6A4D82579158993BE8D]
"B0B35DEDC76B4424EAA66DDFC3821DFE"="C?\\Windows\\system32\\lsdelete.exe"


----------



## NeonFx (Oct 22, 2008)

This website tells me that ad-aware created that value. Have you uninstalled that?


----------



## SteveReeves (Nov 30, 2009)

Yes, I unistalled it earlier as you requested. Maybe the uninstaller didn't remove some parts / pieces. I have CCleaner which I ran after the uninstall.


----------



## NeonFx (Oct 22, 2008)

We don't recommend the use of registry cleaners as they provide little if any benefit and can at times (it has on quite a few systems) screw your system up.

You're probably right, it doesn't look like they designed their uninstaller all that well.

Let's do the following to fix that immediate problem:

*STEP 1*

Run OTS


Under the *Paste Fix Here* box on the right, paste in the contents of following code box


```
[Kill All Processes]
[Custom Items]
:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\User Data\S-1-5-18\Components\717593742EB9D6A4D82579158993BE8D]
:end
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in *C:\_OTS\MovedFiles\<date>_.log* where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally. 
If it seems to get stuck, give it some time. It's probably still working.


----------



## SteveReeves (Nov 30, 2009)

It rebooted the machine after the run. I didn't see the lsdelete message. I have attached the results of the run.


----------



## SteveReeves (Nov 30, 2009)

I did another register search after the post. See results Two Keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\717593742EB9D6A4D82579158993BE8D]
"B0B35DEDC76B4424EAA66DDFC3821DFE"="C?\\Windows\\system32\\lsdelete.exe"

BootExecute "autocheck lsdelete"

As I mentione in the earlier post, I did not see the lsdelete message during boot.


----------



## NeonFx (Oct 22, 2008)

If the registry value was recreated then you still have Ad-Aware installed, or at least components of it. You might want to download and install Ad-Aware to then uninstall it once again if you really want to remove it. If not, there's probably no harm in leaving it as it is.


----------



## SteveReeves (Nov 30, 2009)

I was thinking of just deleting the key value (i.e. C?\\Windows\\system32\\lsdelete.exe" and ""autocheck lsdelete"). What do you think? Also, regarding Virus clean up / detection, what are the next steps?


----------



## NeonFx (Oct 22, 2008)

I already replaced the BootExecute value with what it's supposed to have:
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00

If it has the lsdelete in there it's because something else put it there after I replaced it. You should just leave those values alone. 

I'll follow up with advice and cleanup soon.


----------



## SteveReeves (Nov 30, 2009)

NeonFx:

While waiting on your next steps, I ran following programs against My Computer:

1. SpyBot Search and Destroy - Nothing found
2. SuperAntispyware - No Viruses found, but tracking cookies which I removed, and 
3. MalwareBytes` Anti-malware - C:\32788R22FWJFW\Combo-Fix.sys (Rootkit.Agent) -> Quarantined and deleted successfully 

I've seen this before, that is where the tool indicates that it's gone only to find out via a re-run of the tool that it's still there. I have attached the log from this run. Please advise.


----------



## NeonFx (Oct 22, 2008)

What MalwareBytes found is part of ComboFix and nothing to worry about.

Sorry about the delay, I've been a little busy studying for finals.

If you're going to uninstall your current antivirus, please select *ONE* of the following free security programs and install it: AVG, Avast , AntiVir , Comodo

There is more advice in the links at the bottom of this post.

Excellent. Let's cleanup.

*STEP 1*

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

(If you use Vista or 7 just paste it into the text box that appears next to your start button)

*ComboFix /Uninstall*

Note: If you renamed ComboFix to something else (Combo-Fix or Gotcha for example) you might have to change the command accordingly: Combo-Fix /Uninstall

*STEP 2*

To clean up OldTimer's tools, along with a few others, do the following:


Run OTS.exe by double clicking on it
Click on the *"CleanUp"* button on the top.
You will be asked if you wish to reboot your system, select *"Yes"*

*STEP 3*

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the *Shift* key, and select *"Delete"* by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (The Control Panel is different in different versions of Windows. It will be Programs and Features in Vista and Programs > Uninstall a Program in 7)

You might want to keep MalwareBytes AntiMalware though and that's fine  Make sure you update it before you run the scans in the future.

*All Clean*

Congratulations!,







, *your system is now clean*. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

*Microsoft Windows Update*
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to *(Start) > (All) Programs > Windows Update*
To update Office
Open up any Office program.
Go to *Help > Check for Updates*

*Download and Install a HOSTS File*
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. A HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine and prevent your computer from connecting to that website.

See how to get it HERE
(For Vista and 7 see HERE )

You can also use a tool to update your Hosts file. See HERE and HERE

If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Note: A Hosts file can slow some systems down. If it is slowed down beyond tolerable you might want to empty the Hosts file or reset it using one of the tools.

*Install WinPatrol*
Download it HERE
You can find information about how WinPatrol works HERE and HERE

Note: This program will work alongside all other security programs without conflicts. It might ask you to allow certain actions that security programs perform often, but if you tell Scotty to remember the action by checking the option, the alerts will lessen.

*Other Software Updates*
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for *Java* and *Adobe* as these are subject to many security vulnerabilities.

*Setting up Automatic Updates*
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this. See HERE for Windows 7.

*Read further information* HERE, HERE, and HERE on how to prevent Malware infections and keep yourself clean.

Please mark this thread as "Solved" by clicking on the button at the top of this page. Let me know if you need anything else.


----------



## SteveReeves (Nov 30, 2009)

No problem. thx for all the help and good luck with your exams!. I still have a few questions before I start the cleanup. I'm having a problem with McAfee and I don't know if it's virus related or something else. Periodically, it will up protect the machine without reason. I can re-enable by clicking on fix, but it keeps happening! Also, the free anti-virus programs that you recommended, the current McAfee s/w that I have does the following:

Firewall
Antivirus, antimalware, etc
Spyware blocker,
internet we page advisor
e-mail
spam, etc.
Albeit, it didn't prevent my machine from being infected! Any recommendation for free programs that provides this can of protection? Real protection? I wonder about that Kaspersky scan that you had me run - any free s/w out there that provides similar results?


----------



## NeonFx (Oct 22, 2008)

All programs will have little glitches like the one you describe about it turning itself back on. The big programs like McAfee and Norton are notorious for being difficult to disable or remove from a system once they get their big tentacles on it haha. 

I understand your concern, but honestly, you would have gotten infected regardless of the program you had installed. You got hit with one of the latest and greatest the bad guys have come up with and none of the security program companies have caught up enough to successfully deal with it. If you're happy with McAfee and all of the features it provides, by all means keep it! It's a great program and others won't really work any better than it does in the big picture. 

It doesn't matter what kind of protection you have as long as you are protected. I know you want the very best, but in the end all of the popular programs are relatively equals. You need to pick one you like and that fits best to your needs and stick with it.


----------



## SteveReeves (Nov 30, 2009)

Didn't see how to reset restore points. Please advise.


----------



## NeonFx (Oct 22, 2008)

See HERE for a complete guide to restore points in Vista.


----------



## SteveReeves (Nov 30, 2009)

thanks for all of your help!


----------

