Solved: tdlcmd.dll infected can not remove -HJT Log

Trigger2991 · 20-Nov-2009, 09:35 AM #1

Hi there,
I use AVG 9 and it continually brings up an infection warning about tdlcmd.dll. I can remove the infection but it will reappear. I found another forum saying they successfully removed the infection with Windows Defender, however i have done this and the infection still reappears. Another thread was answered and Combofix was used to remove it, however i don't want to get ahead of myself, can you please assist with removal of this?

HJT Log file:
-------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:37 AM, on 21/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 9300 Series\lxcqmon.exe
C:\Program Files\Lexmark 9300 Series\ezprint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Documents and Settings\Adam Smith\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcqcoms.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Adam Smith\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adam Smith\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Adam Smith\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adam Smith\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adam Smith\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\Flash Capture\fcbho.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [lxcqmon.exe] "C:\Program Files\Lexmark 9300 Series\lxcqmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 9300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Adam Smith\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\Flash Capture\fciext.dll/FCIEXT.htm
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\Flash Capture\fciext.dll
O9 - Extra button: Extract Flash Video with Bytescout... - {B4321882-BDAD-440D-B124-75233240F897} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1212559071437
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1ca0c05933fc922) (gupdate1ca0c05933fc922) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcq_device - - C:\WINDOWS\system32\lxcqcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10873 bytes

NeonFx · 20-Nov-2009, 03:45 PM #2

Hello there

Welcome to the TSG Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Please copy the following into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\si3112.sys /s /md5
%SYSTEMDRIVE%\viadsk.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select All items.
Place a checkmark next to Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

Trigger2991 · 20-Nov-2009, 07:42 PM #3

Hi NeonFx,
Thanks so much for your time and efforts, i really appreciate it.

Log file from OTS is attached.

Sysprot Log:
------------------
SysProt AntiRootkit v1.0.1.0
by swatkat

*************************************************************************** ***************
*************************************************************************** ***************

No Hidden Processes found

*************************************************************************** ***************
*************************************************************************** ***************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AC29A000
Module End: AC2B2000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5BE000
Module End: BA5C0000
Hidden: Yes

*************************************************************************** ***************
*************************************************************************** ***************
No SSDT Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
No Kernel Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
No IRP Hooks found

*************************************************************************** ***************
*************************************************************************** ***************
Ports:
Local Address: ADAM:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: ADAM:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: ADAM:5152
Remote Address: LOCALHOST:1979
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: ADAM:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: ADAM:1064
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: ADAM:2381
Remote Address: 211.2.233.220.STATIC.EXETEL.COM.AU:HTTP
Type: TCP
Process: C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
State: CLOSE_WAIT

Local Address: ADAM:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: ADAM:45071
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\DNA\btdna.exe
State: LISTENING

Local Address: ADAM:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: ADAM:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: ADAM:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ADAM:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ADAM:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ADAM:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ADAM:1900
Remote Address: NA
Type: UDP
Process: C:\Program Files\DNA\btdna.exe
State: NA

Local Address: ADAM:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ADAM:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: ADAM:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: ADAM:60371
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ADAM:45071
Remote Address: NA
Type: UDP
Process: C:\Program Files\DNA\btdna.exe
State: NA

Local Address: ADAM:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: ADAM:1031
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: ADAM:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: ADAM:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

*************************************************************************** ***************
*************************************************************************** ***************
Hidden files/folders:
Object: M:\Julie Copy\Music\Sutherland-Horne-Conrad-Bonynge - The Age Of Belcanto\Disc 1\12 Ich baue ganz auf deine Sta¨rke.flac
Status: Hidden

Object: M:\Julie Copy\Music\Sutherland-Horne-Conrad-Bonynge - The Age Of Belcanto\Disc 2\3 Weber, Der Freischu¨tz.flac
Status: Hidden

Object: M:\Julie Copy\Music\Sutherland-Horne-Conrad-Bonynge - The Age Of Belcanto\Disc 2\7 Santo di patria . . . Allor che i forti corrono . . . Da te questo or m'e` concesso.flac
Status: Hidden

Object: M:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: M:\System Volume Information\tracking.log
Status: Access denied

Object: M:\System Volume Information\_restore{025B975B-FBD3-4DE0-899E-8E330F2E4991}
Status: Access denied

Object: M:\System Volume Information\_restore{8BF12CBB-EDE1-467A-A6D7-54AE8CBDDA81}
Status: Access denied

Object: D:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: D:\System Volume Information\tracking.log
Status: Access denied

Object: C:\Documents and Settings\Adam Smith\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Documents and Settings\Adam Smith\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

NeonFx · 20-Nov-2009, 08:59 PM #4

Good Job. Please do the following now:

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Trigger2991 · 21-Nov-2009, 02:49 AM #5

Hi NeonFx,

Combofix has been run. Log file is attached. AVG resident shield is still disabled, please advise next course of action.

NeonFx · 21-Nov-2009, 03:02 AM #6

That didn't work as well as I'd hoped, we'll need a bigger hammer to get this guy.

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Files to move:
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\System32\DRIVERS\atapi.sys

Files to delete:
c:\windows\system32\tdlcmd.dll
c:\windows\system32\tdlclk.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

5. Please copy and paste or attach the contents of c:\avenger.txt into your reply.

You can reenable the resident shield after you complete my steps and then disable it again when I give you more to complete.

NeonFx · 21-Nov-2009, 03:04 AM #7

After running that please run ComboFix by double clicking on it again. Please attach C:\ComboFix.txt to your next reply so that I can verify that it worked.

Trigger2991 · 21-Nov-2009, 09:36 AM #8

Hi NeonFx,

I ran Avenger and my PC needed to be restarted, although now i have problems. Windows won't boot properly at all. It brings up the boot mode options screen which contains:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration
Start Windows Normally

If I choose to start windows normally, it will display the Windows logo for a split second and then reboot. The Last Known good configuration immediately reboots. And all Safe Mode options show a list of all the system files that are starting, then reboots.

So i am a bit screwed at the moment as i'm not sure how to fix this as i can't get any kind of access even to a command prompt. I installed the recovery console as part of Combofix, can we use it to correct this?

NeonFx · 04:46 PM

Yes, the Recovery Console gives us a command prompt we can use. You should have a black and white menu that comes up before the Safe Mode menu that asks you if you want to boot into Windows or the Recovery Console. Use your arrow keys to select the Recovery Console from the list.

I'm sorry to say this but it happens sometimes that our tools will pick something up that's actually legitimate. I just noticed that pciide.sys was deleted by ComboFix when it shouldn't have been.

Please go into the Recovery Console. It will ask you which installation of Windows you want to log into. Usually this is "1". If you set up an Administrator password enter it and then press Enter. If not, the password is blank. Just press Enter without typing anything in and you should be presented with a prompt.

At the prompt type the following:

cd C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\

It should move the prompt into that folder after you press Enter. Then type the following:

dir

and press Enter. You should see pciide.sys.vir listed there.

If you saw that, please type in the following:

copy pciide.sys.vir C:\WINDOWS\system32\drivers\pciide.sys

and press Enter. (If you didnt see that file listed there, please tell me what you saw)

Then type the following two commands pressing Enter after each:

cd C:\windows\system32\drivers\
dir

It will give you a long list of files. Let me know if you see atapi.sys and pciide.sys among them.

Then restart your computer by typing exit and press Enter.

Let me know if you can boot into Windows now.

Edit:
When you have a long list of files you press the Space key on your keyboard to scroll down in the Recovery Console.

Trigger2991 · 21-Nov-2009, 09:26 PM **#10**

Hi NeonFx,
Excellent, thanks for your help, I realise you are a volunteer and I appreciate it!

Ok, i'm in the recovery console but I can't change to C:\Qoobox as it says "Access is denied." When logging on to the windows installation the only option presented was
"1: C:\WINDOWS". When I select 1 it then logs me in and presents me with C:\WINDOWS. There is no mention of an admin password. Is this what's preventing me from accessing the Qoobox directory? How do I authenticate myself to access this directory?

I checked the contents of C:\Windows\system32\drivers and it does contain atapi.sys but it does not contain pciide.sys. It does however contain pciidex.sys. Is this just the file renamed? Can I rename this to pciide.sys?

NeonFx · 21-Nov-2009, 09:32 PM **#11**

The recovery console is designed to prevent access to anything other than the system files in order to prevent breaches of the security of your personal files. Regrettably, this makes it a little more difficult for us.

Please try the following command:

copy c:\windows\system32\dllcache\pciide.sys c:\windows\system32\drivers\pciide.sys

What that does is grab a copy of the file from c:\windows\system32\dllcache\

Also, pciidex.sys is not the same file.

Trigger2991 · 21-Nov-2009, 09:41 PM **#12**

C:\windows\system32\dllcache does not contain a copy of pciide.sys so no joy.... can I download a copy? Does the CDROM or USB work in recovery console?

NeonFx · 21-Nov-2009, 10:02 PM **#13**

Yes, a CD does work in the Recovery Console. I'm not sure about a USB drive, but it's also worth a try.

I have attached a copy of the file for you HERE . All you need to do is either burn it or put it on a USB drive and then run the following command in the Recovery Console:

copy D:\pciide.sys c:\windows\system32\drivers\pciide.sys

Where D: is whatever the drive letter is for your CD drive. It might be E: . Let me know if you need help.

Trigger2991 · 21-Nov-2009, 11:05 PM **#14**

Thanks mate, that fixed it. Windows now starts normally.

The Avenger log appeared immediately, it is attached.
I then ran Combofix as you requested, it's log is also attached.

Combofix failed the first time, the PC shut down completely and i had to switch it back on. So i ran it again and it was successful. Although i noticed during it's run it said "Delete file tdlclk.dll - Can not delete as this file is in use" or something to that effect.

NeonFx · 22-Nov-2009, 02:12 AM **#15**

I'm glad that worked

As you can tell ComboFix was updated to remove that from the hitlist. You were one of the unlucky few who had that happen to them.

Please run OTS.exe and under the custom scans section please copy and paste the following:

C:\atapi.sys /s /md5

Then click on the Quick Scan button for me. Attach the results of this scan in your next reply for me. This is to verify that the infected atapi.sys was replaced with a good copy.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!