[helpme1962]

badlaptop log for your reading pleasure.

TDSSKiller Quarantine Information log
Version 1.0.0.4
***** START SCAN Sat 04/28/2012 10:10:45.75 *****

---------- TDSSKiller logs ----------

TDSSKiller.2.7.33.0_27.04.2012_13.45.56_log.txt
TDSSKiller.2.7.33.0_27.04.2012_13.53.34_log.txt
TDSSKiller.2.7.33.0_27.04.2012_14.00.02_log.txt
TDSSKiller.2.7.33.0_27.04.2012_19.05.21_log.txt

---------- TDSSStarter logs ----------


---------- DIR LIST ----------

C:\TDSSKiller_Quarantine\27.04.2012_19.05.21
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0003
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0002
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0001
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0000
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0000\svc0000
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0000\svc0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0000\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0000\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0001\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0001\svc0000
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0001\svc0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0001\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0001\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0002\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0002\svc0000
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0002\svc0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0002\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0002\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0003\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0003\svc0000
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0003\svc0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0003\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0003\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0003
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0002
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0001
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0000
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0000\svc0000
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0000\svc0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0000\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0000\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0001\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0001\svc0000
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0001\svc0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0001\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0001\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0002\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0002\svc0000
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0002\svc0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0002\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0002\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0003\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0003\svc0000
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0003\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0003\svc0000\object.ini
C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0003\svc0000\tsk0000.ini

---------- INI FILES ----------

=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0000\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0000\svc0000\object.ini

[InfectedObject]
Type: Service
Name: InstallFilterService
Type: n/a (0x10)
Start: Auto (0x2)
ImagePath: C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0000\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
md5: 987a2cc8ec0e86caa2d8068b1ed7b441


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0001\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0001\svc0000\object.ini

[InfectedObject]
Type: Service
Name: Pml Driver HPZ12
Type: n/a (0x10)
Start: Auto (0x2)
ImagePath: %SystemRoot%\System32\svchost.exe -k HPZ12


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0001\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Windows\system32\HPZipm12.dll
md5: 13fbe33e8ab8284c6a3c6ce86fa59ea0


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0002\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0002\svc0000\object.ini

[InfectedObject]
Type: Service
Name: SecureStorageService
Type: n/a (0x10)
Start: Demand (0x3)
ImagePath: "C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe"


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0002\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
md5: f6a6dbd275ec9ef7b573e48b3fd8d3df


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0003\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0003\svc0000\object.ini

[InfectedObject]
Type: Service
Name: tcsd_win32.exe
Type: n/a (0x10)
Start: Auto (0x2)
ImagePath: "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe"


=== C:\TDSSKiller_Quarantine\27.04.2012_13.53.34\susp0003\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
md5: 69f1a38a6dbfe682491cb61a596662e3


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0000\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0000\svc0000\object.ini

[InfectedObject]
Type: Service
Name: InstallFilterService
Type: n/a (0x10)
Start: Auto (0x2)
ImagePath: C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0000\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
md5: 987a2cc8ec0e86caa2d8068b1ed7b441


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0001\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0001\svc0000\object.ini

[InfectedObject]
Type: Service
Name: Pml Driver HPZ12
Type: n/a (0x10)
Start: Auto (0x2)
ImagePath: %SystemRoot%\System32\svchost.exe -k HPZ12


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0001\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Windows\system32\HPZipm12.dll
md5: 13fbe33e8ab8284c6a3c6ce86fa59ea0


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0002\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0002\svc0000\object.ini

[InfectedObject]
Type: Service
Name: SecureStorageService
Type: n/a (0x10)
Start: Demand (0x3)
ImagePath: "C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe"


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0002\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
md5: f6a6dbd275ec9ef7b573e48b3fd8d3df


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0003\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0003\svc0000\object.ini

[InfectedObject]
Type: Service
Name: tcsd_win32.exe
Type: n/a (0x10)
Start: Auto (0x2)
ImagePath: "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe"


=== C:\TDSSKiller_Quarantine\27.04.2012_19.05.21\susp0003\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
md5: 69f1a38a6dbfe682491cb61a596662e3

[CompCav]

Thanks for the log.

The prep for the fix will take a little while, please be patient with me it involves compiling several DOS like commands.

I will be working on it without interruption until I post it.

Regards,

CompCav

[CompCav]

Using your good laptop:
Please download the attached file (tdssunq.txt) to your USB flash drive.  tdssunq.txt (959bytes)
Number of downloads: 13
Remove the USB flash drive from the good laptop

Using your bad laptop:
Copy tdssunq.txt from the USB drive to your desktop
Run TDSSQ again.
Type B
Press Enter and a notepad window will open.
Click file open and open tdssunq.txt
Click file save and close the window.
Your files are now returned to their correct location.
Type Q
Press Enter
Remove the USB flash drive.
Reboot the bad laptop.

Let me know what issues remain with the bad laptop.

[helpme1962]

Compcav, when I ran the txt file in tdssqlook, I received a warning message after I saved the txt file and closed the window. The warning message said input.txt is too small, hit any key to continue. I hit any key, got to the prompt to enter a,b,q, etc. Hit Q and am posting now to you. The bad laptop is still bad. Google opens but I cant do anything on it and have to ctrl alt del. to close it.

[CompCav]

Step 1.

Download the tdssmanual.txt file to your good laptop and place it on the USB drive.  tdssmanual.txt (987bytes)
Number of downloads: 12
Remove the drive from the good laptop.


Step 2.

Insert the USB drive in the bad laptop and copy the file tdssmanual.txt to the desktop.

Run an elevated command prompt
Go to Start, All programs, Accessories
Right click command prompt and select run as administrator


The black box will open

Open tdssmanual.txt with notepad.


Copy and paste each line in tdssmanual.txt one at a time into the black box and press enter.

If it says the file already exists then do not copy it just type N for no and go on to the next line.


Step 3.

On the good laptop download Farbar Services scanner from here.
Copy it to the USB drive.
Remove the drive and inserted it in the bad laptop.
Copy FSS.exe to the desktop and run it.



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) on the desktop.
Copy it to the USB drive
Remove the drive from the bad laptop

Step 4.

Insert the USB drive in the good laptop and open the file FSS.txt with notepad.
Please copy and paste the log to your reply

[helpme1962]

IN Step 2, im copying the 2nd line into the administrator command prompt. When I hit enter, I get a filename directory name or volume label syntax is incorrect, 0. Do you want me to continue with this step?

[helpme1962]

I meant to add after the 0, 0 files copied.

[CompCav]

Delete the old tdssmanual.txt off the good laptop, the bad laptop, and the USB drive.

Please download a corrected version of tdssmanual.txt to your good laptop.  tdssmanual.txt (988bytes)
Number of downloads: 8
Copy it to the USB drive.
Remove the drive from the good laptop.


Insert the USB drive in the bad laptop and copy the corrected tdssmanual.txt to the desktop.

Start with line 2 of the corrected file and continue step 2.

[helpme1962]

ok, I copied line 2 onto the command prompt. The error message is different. It only states now that the syntax of the command is incorrect. It does not say anything about the filenam, directory or volume is incorrect, nor does it say anything about how many files were or were not copied. Do you want me to continue?

[CompCav]

Skip it for now and do step 3 and post the log please.

[CompCav]

After doing step 3 please try step 2 with this file:
 tdssmanualrev1.txt (982bytes)
Number of downloads: 11

[helpme1962]

There is no link to download farbar in step 3. Can you post it please?

[CompCav]

Download farbar service scanner to your desktop

[helpme1962]

Here is the fss log. Please let me know, when I copy lines from the tss log into the administrator comand promt for step 2, which line do you want me to start with, 1st line or 2nd line?

Farbar Service Scanner Version: 24-04-2012
Ran by Chris' laptop (administrator) on 28-04-2012 at 13:56:43
Running from "C:\Users\Chris' laptop\Desktop"
Microsoft Windows 7 Professional (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 09:12] - [2011-09-29 11:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-15 08:23] - [2011-03-03 01:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-13 19:53] - [2009-07-13 21:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 19:54] - [2009-07-13 21:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 19:23] - [2009-07-13 21:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 19:24] - [2009-07-13 21:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2011-02-09 07:44] - [2010-12-21 01:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 20:15] - [2009-07-13 21:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 19:30] - [2009-07-13 21:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[CompCav]

If the first line was run successfully earlier start with the second.

If the first line had problems start with it.