[Essexboy]

Hi before you delete the second connection could you run this programme

Please download SINO by Artellos.

• Save SINO to a place you can remember and run SINO.exe. (If you downloaded the ZIP version you will need to extract it first)
• Then please check the following checkboxes:
  

  System Info
  Services
  Boot Check
  Tasklist
  Startup Items
  Event Log
  Ipconfig
  Ping
  Netstat
  Hosts file
  Shares
  Routing Table

• Once checked, hit the Run Scan! button and wait for the program to finish the scan.
  
• A notepad window will pop up. Please copy all of the content into your next reply.

Note: If you try to interact with the program once it’s started scanning it might appear to hang. The scan however will continue.

[Advertisements]

Today I 've opened my PC and I was connected to the internet without doing anything else!
So it might be fixed?

I have downloaded this tool and when I click scan at the Progress Bar I see "<<<<System Information>>>>" and the application responds at the "about" menu.

I believe it is not scanning, as I waited 15 minutes and still nothing.
When I close it, it informs me of a log file created.This is it:
Exception in Tkinter callback
Traceback (most recent call last):
File "Tkinter.pyc", line 1403, in __call__
File "SINO.py", line 715, in runScan
File "SINO.py", line 438, in Scan
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd7 in position 38: ordinal not in range(128)

What is the problem?

[pspuser007]

Today I 've opened my PC and I was connected to the internet without doing anything else!
So it might be fixed?

I have downloaded this tool and when I click scan at the Progress Bar I see "<<<<System Information>>>>" and the application responds at the "about" menu.

I believe it is not scanning, as I waited 15 minutes and still nothing.
When I close it, it informs me of a log file created.This is it:
Exception in Tkinter callback
Traceback (most recent call last):
File "Tkinter.pyc", line 1403, in __call__
File "SINO.py", line 715, in runScan
File "SINO.py", line 438, in Scan
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd7 in position 38: ordinal not in range(128)

What is the problem?

[Essexboy]

I will pass this to the author and see what he says - back soon

[pspuser007]

Ok then, I 'll be waiting.

[pspuser007]

Updating that the problem with the connection is solved!

Now the only "problem" is that "The sound service is not running".


This is happening by the time the Pc is opening.
It is running when I volume Up/Down the volume from a wheel at my keyboard!
Maybe the service is set to not load at startup for some reason?
Any way to re-activate it at startup?

[Essexboy]

To confirm that the service is running at start go to

Control Panel > All Control Panel Items > Administrative Tools > Services

And then right click Windows Audio > Properties And you will see this tab
Ensure the startup type is set to Automatic

Still waiting for an answer from Artelos

[pspuser007]

It is set to Automatic.

All these problems with windows 7!

Buddy look here please
http://www.sevenforu...unning-but.html
They are having the exact same problem.
It might be a bug. :-S
This is unbelievable..I believe that we will have to wait for a service pack to come out.

The Icon problem is fixed, the connection problem is fixed too.


But please look at the log of nod:
18/12/2009 6:08:27 μμ Startup scanner file C:\Windows\TEMP\b.exe a variant of Win32/Kryptik.BGX trojan cleaned by deleting - quarantined
18/12/2009 6:07:45 μμ Startup scanner file C:\Windows\TEMP\c.exe a variant of Win32/Kryptik.BGX trojan cleaned by deleting - quarantined
16/12/2009 7:33:47 μμ HTTP filter file http://dicrideeting....1.1.2.45042.exe Win32/KillAV.NHE trojan connection terminated - quarantined Χρήστος-PC\Χρήστος Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
10/12/2009 9:06:51 μμ Real-time file system protection file C:\$RECYCLE.BIN\S-1-5-21-554481470-3224669014-3345837826-1001\$R7RIEKP.tmp a variant of Win32/Kryptik.BJM trojan cleaned by deleting - quarantined Χρήστος-PC\Χρήστος Event occurred on a file modified by the application: C:\Windows\explorer.exe.
10/12/2009 9:04:09 μμ Startup scanner file C:\Windows\TEMP\pxno.tmp\svchost.exe a variant of Win32/Kryptik.BJM trojan cleaned by deleting - quarantined


I believe the problem is not fixed..
Do you think I should format my disk again?

But I am using 3 HDDs.
I have created 2 partitions at one of them, 100GB for Windows and program files and the other are files.
So even after a format the virus might be in the other HDDs.
Can we clean them?

[Essexboy]

OK 3 drives We will need to check them out

I have two programmes for you to run

First :

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.
  
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.
  
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Second :

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Under custom scans copy and paste the following
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  /md5stop
  %systemroot%\*. /mp /s
  c:\$recycle.bin\*.* /s
  CREATERESTOREPOINT
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[pspuser007]

I will do these now.

At the AVZ app, won't I select the other HDDs?
I didn't do that, but I am asking if I should so that I stop the scanning procedure.

[Essexboy]

Sorry - yes please. Not used to working multiple drives

[pspuser007]

Ok I have completed the things you said and attached the logs.


Here is the link of the OTS log
http://www.mediafire...php?matymwzn2o0

Thank you.

Attached Files

•  virusinfo_syscure.zip   39.57KB   128 downloads
•  virusinfo_syscheck.zip   22.03KB   140 downloads

[Essexboy]

Have you downloaded any torrents or cracks in the last day or so ? As you have a new infection, plus some torrent files are infected

This will be a three part fix - please run in the order stated

FIRST

AVZ FIX

• Double click on AVZ.exe
  
• Click File > Custom scripts
  
• Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
  

  begin
  SearchRootkit(true, true);
  SetAVZGuardStatus(True);
  SetAVZPMStatus(True);
   BC_DeleteFile('C:\Windows\TEMP\b.exe');
   DeleteFile('C:\Windows\TEMP\b.exe');
   DeleteFile('C:\Windows\TEMP\c.exe');
   BC_DeleteFile('C:\Windows\TEMP\c.exe');
  BC_ImportDeletedList;
  ExecuteSysClean;
  BC_Activate;
  RebootWindows(true);
  end.

• Note: When you run the script, your PC will be restarted
  
• Click Run
  
• Restart your PC if it doesn't do it automatically.

SECOND

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  sshnas.dll -> C:\Windows\System32\sshnas.dll
NY ->  21 C:\Windows\Temp\*.tmp files -> C:\Windows\Temp\*.tmp
NY ->  21 C:\Windows\Temp\*.tmp files -> C:\Windows\Temp\*.tmp
[File - Lop Check]
NY ->  {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job -> C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
NY ->  {66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job -> C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[Custom Scans]
NY ->  1 c:\$recycle.bin\S-1-5-21-554481470-3224669014-3345837826-1001\*.tmp files -> c:\$recycle.bin\S-1-5-21-554481470-3224669014-3345837826-1001\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

FINALLY

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

LOGS : OTS report, TDSSKiller log

[pspuser007]

The first time I added the fix at OTS and ran it I got "Range Check Error" after a while, so I restarted the pc and ran it again without problems.
This is the txt from OTS:
All Processes Killed
[Files/Folders - Modified Within 30 Days]
File C:\Windows\System32\sshnas.dll not found!
C:\Windows\Temp\tktx.tmp folder deleted successfully.
C:\Windows\Temp\xoax.tmp folder deleted successfully.
[File - Lop Check]
File C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job not found!
File C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job not found!
[Custom Scans]
[Empty Temp Folders]


User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Χρήστος
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 114822 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 5964954 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 140 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5,80 mb

< End of fix log >
OTS by OldTimer - Version 3.1.11.0 fix logfile created on 12192009_010809

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


I have attached the new log by OTS (I scanned again and followed the directions you told me earlier) and the TDSSKiller log.


£˜ ¡œ¤«¨ ¡¦ç ¬§¦¢¦š ©«ã: •�ì‘’Žª-PC
£˜ Š‘: Microsoft Windows 7 Ultimate
ë¡›¦©ž OS: 6.1.7600 ƒ/“ ƒ¦£ã 7600
‰˜«˜©¡œ¬˜©«ãª Š‘: Microsoft Corporation
Ž¨ ©£æª §˜¨˜£â«¨à¤ «¦¬ DCOM: ‹œ£¦¤à£â¤¦ª ©«˜Ÿ£æª œ¨š˜©å˜ª
’秦ª ›¦£ãª ¢œ «¦¬¨š ¡¦ç ©¬©«ã£˜«¦ª: Multiprocessor Free
Œæ£ £¦ª ¡á«¦®¦ª §¨¦ä椫¦ª: •¨ã©«¦ª
„¥¦¬© ¦›¦«ž£â¤¦ª ¦¨š˜¤ ©£æª:
€¤˜š¤à¨ ©« ¡æ §¨¦ä椫¦ª: 69831-640-1780577-45389
†£œ¨¦£ž¤å˜ ˜¨® ¡ãª œš¡˜«á©«˜©žª: 7/5/2005, 6:24:05 ££
𨘠œ¡¡å¤ž©žª ©¬©«ã£˜«¦ª: 19/12/2009, 1:08:49 §£
‰˜«˜©¡œ¬˜©«ãª ©¬©«ã£˜«¦ª: System manufacturer
‹¦¤«â¢¦ ©¬©«ã£˜«¦ª: P5K
’秦ª ©¬©«ã£˜«¦ª: X86-based PC
„§œ¥œ¨š˜©«âª: „š¡˜«˜©«áŸž¡˜¤ 1 œ§œ¥œ¨š˜©«âª.
[01]: x64 Family 6 Model 23 Stepping 6 GenuineIntel ~3017 Mhz
ë¡›¦©ž BIOS: American Megatrends Inc. 1103 , 18/6/2008
‰˜«á¢¦š¦ª «à¤ Windows: C:\Windows
‰˜«á¢¦š¦ª ©¬©«ã£˜«¦ª: C:\Windows\system32
‘¬©¡œ¬ã œ§˜¤œ¡¡å¤ž©žª: \Device\HarddiskVolume2
’¦§ ¡âª ¨¬Ÿ£å©œ ª ©¬©«ã£˜«¦ª: el;„¢¢ž¤ ¡á
‚¢é©©˜ §¢ž¡«¨¦¢¦šå¦¬: en-us;€šš¢ ¡á (†¤à£â¤à¤ �¦¢ «œ é¤)
…餞 騘ª: (UTC+02:00) €Ÿã¤˜, �¦¬¡¦¬¨â©« , ‰à¤©«˜¤« ¤¦ç§¦¢ž
‘¬¤¦¢ ¡ã §¨˜š£˜« ¡ã £¤ã£ž: 3.071 MB
ƒ ˜Ÿâ© £ž §¨˜š£˜« ¡ã £¤ã£ž: 2.317 MB
„ ¡¦¤ ¡ã £¤ã£ž: ‹âš ©«¦ £âšœŸ¦ª: 6.141 MB
„ ¡¦¤ ¡ã £¤ã£ž: ƒ ˜Ÿâ© £ž: 5.296 MB
„ ¡¦¤ ¡ã £¤ã£ž: •¨ž© £¦§¦ œå«˜ : 845 MB
‡â©œ ª ˜¨®œå¦¬ ©œ¢ ›¦§¦åž©žª: C:\pagefile.sys
’¦£â˜ª: WORKGROUP
ƒ ˜¡¦£ ©«ãª ©ç¤›œ©žª: \\•�ì‘’Žª-PC
꣜©œª œ§ › ¦¨Ÿé©œ ª: „š¡˜«˜©«áŸž¡˜¤ 10 ᣜ©œª œ§ › ¦¨Ÿé©œ ª.
[01]: KB973525
[02]: KB974332
[03]: KB974431
[04]: KB974455
[05]: KB974571
[06]: KB975364
[07]: KB975467
[08]: KB976098
[09]: KB976325
[10]: KB976749
‰á¨«œª › ¡«ç¦¬: „š¡˜«˜©«áŸž¡˜¤ 1 NIC(s).
[01]: Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller
£˜ ©ç¤›œ©žª: ’¦§ ¡ã ©ç¤›œ©ž
„¤œ¨š¦§¦ ž£â¤¦ DHCP: Œ˜ 
ƒ ˜¡¦£ ©«ãª DHCP: 192.168.254.254
ƒ œ¬Ÿç¤©œ ª IP
[01]: 192.168.254.1
[02]: fe80::8d8d:12aa:3c0d:f27
1:12:55:205 3120 ForceUnloadDriver: NtUnloadDriver error 2
1:12:55:205 3120 ForceUnloadDriver: NtUnloadDriver error 2
1:12:55:205 3120 ForceUnloadDriver: NtUnloadDriver error 2
1:12:55:236 3120 main: Driver KLMD successfully dropped
1:12:55:252 3120 main: Driver KLMD successfully loaded
1:12:55:252 3120
Scanning Registry ...
1:12:55:252 3120 ScanServices: Searching service UACd.sys
1:12:55:252 3120 ScanServices: Open/Create key error 2
1:12:55:252 3120 ScanServices: Searching service TDSSserv.sys
1:12:55:252 3120 ScanServices: Open/Create key error 2
1:12:55:252 3120 ScanServices: Searching service gaopdxserv.sys
1:12:55:252 3120 ScanServices: Open/Create key error 2
1:12:55:252 3120 ScanServices: Searching service gxvxcserv.sys
1:12:55:252 3120 ScanServices: Open/Create key error 2
1:12:55:252 3120 ScanServices: Searching service MSIVXserv.sys
1:12:55:252 3120 ScanServices: Open/Create key error 2
1:12:55:252 3120 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntkrnlpa.exe, base addr: 82A3A000
1:12:55:267 3120 UnhookRegistry: Kernel local addr: 1580000
1:12:55:267 3120 UnhookRegistry: KeServiceDescriptorTable addr: 16E89C0
1:12:55:314 3120 UnhookRegistry: KiServiceTable addr: 15EF6F0
1:12:55:314 3120 UnhookRegistry: NtEnumerateKey service number (local): 74
1:12:55:314 3120 UnhookRegistry: NtEnumerateKey local addr: 17E5A2F
1:12:55:314 3120 KLMD_OpenDevice: Trying to open KLMD device
1:12:55:314 3120 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
1:12:55:314 3120 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
1:12:55:314 3120 KLMD_ReadMem: Trying to ReadMemory 0x82A7B2A5[0x4]
1:12:55:314 3120 UnhookRegistry: NtEnumerateKey service number (kernel): 74
1:12:55:314 3120 KLMD_ReadMem: Trying to ReadMemory 0x82AA98C0[0x4]
1:12:55:314 3120 UnhookRegistry: NtEnumerateKey real addr: 82C9FA2F
1:12:55:314 3120 UnhookRegistry: NtEnumerateKey calc addr: 82C9FA2F
1:12:55:314 3120 UnhookRegistry: No SDT hooks found on NtEnumerateKey
1:12:55:314 3120 KLMD_ReadMem: Trying to ReadMemory 0x82C9FA2F[0xA]
1:12:55:314 3120 UnhookRegistry: No splicing found on NtEnumerateKey
1:12:55:314 3120
Scanning Kernel memory ...
1:12:55:314 3120 KLMD_OpenDevice: Trying to open KLMD device
1:12:55:314 3120 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
1:12:55:314 3120 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
1:12:55:314 3120 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 861F2348
1:12:55:314 3120 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
1:12:55:314 3120 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 861F5030
1:12:55:314 3120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 861F5030
1:12:55:314 3120 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 86160918
1:12:55:314 3120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86160918
1:12:55:314 3120 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 86144318
1:12:55:314 3120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86144318
1:12:55:314 3120 KLMD_ReadMem: Trying to ReadMemory 0x86144318[0x38]
1:12:55:314 3120 DetectCureTDL3: DRIVER_OBJECT addr: 86114DB8
1:12:55:314 3120 KLMD_ReadMem: Trying to ReadMemory 0x86114DB8[0xA8]
1:12:55:314 3120 KLMD_ReadMem: Trying to ReadMemory 0x861131E8[0x208]
1:12:55:314 3120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
1:12:55:314 3120 DetectCureTDL3: IrpHandler (0) addr: 8537E1F8
1:12:55:314 3120 DetectCureTDL3: IrpHandler (1) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (2) addr: 8537E1F8
1:12:55:314 3120 DetectCureTDL3: IrpHandler (3) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (4) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (5) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (6) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (7) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (8) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (9) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (10) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (11) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (12) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (13) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (14) addr: 8B2A547C
1:12:55:314 3120 DetectCureTDL3: IrpHandler (15) addr: 8537E1F8
1:12:55:314 3120 DetectCureTDL3: IrpHandler (16) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (17) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (18) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (19) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (20) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (21) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (22) addr: 8537E1F8
1:12:55:314 3120 DetectCureTDL3: IrpHandler (23) addr: 8537E1F8
1:12:55:314 3120 DetectCureTDL3: IrpHandler (24) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (25) addr: 82AEB437
1:12:55:314 3120 DetectCureTDL3: IrpHandler (26) addr: 82AEB437
1:12:55:314 3120 KLMD_ReadMem: Trying to ReadMemory 0x861184BF[0x400]
1:12:55:314 3120 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 1
1:12:55:314 3120 Driver "atapi" StartIo handler infected by TDSS rootkit ... 1:12:55:314 3120 TDL3_StartIoHookCure: Number of patches 1
1:12:55:314 3120 KLMD_WriteMem: Trying to WriteMemory 0x861185B6[0x6]
1:12:55:314 3120 cured
1:12:55:314 3120 TDL3_FileDetect: Processing driver: atapi
1:12:55:314 3120 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\atapi.sys, C:\Windows\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
1:12:55:314 3120 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
1:12:55:314 3120 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
1:12:55:330 3120 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 861F4AC8
1:12:55:330 3120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 861F4AC8
1:12:55:330 3120 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86084918
1:12:55:330 3120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86084918
1:12:55:330 3120 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 86089908
1:12:55:330 3120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86089908
1:12:55:330 3120 KLMD_ReadMem: Trying to ReadMemory 0x86089908[0x38]
1:12:55:330 3120 DetectCureTDL3: DRIVER_OBJECT addr: 860ACB18
1:12:55:330 3120 KLMD_ReadMem: Trying to ReadMemory 0x860ACB18[0xA8]
1:12:55:330 3120 KLMD_ReadMem: Trying to ReadMemory 0x853B8908[0x38]
1:12:55:330 3120 KLMD_ReadMem: Trying to ReadMemory 0x86114DB8[0xA8]
1:12:55:330 3120 KLMD_ReadMem: Trying to ReadMemory 0x861131E8[0x208]
1:12:55:330 3120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
1:12:55:330 3120 DetectCureTDL3: IrpHandler (0) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (1) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (2) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (3) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (4) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (5) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (6) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (7) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (8) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (9) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (10) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (11) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (12) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (13) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (14) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (15) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (16) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (17) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (18) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (19) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (20) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (21) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (22) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (23) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (24) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (25) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: IrpHandler (26) addr: 86118618
1:12:55:330 3120 DetectCureTDL3: All IRP handlers pointed to one addr: 86118618
1:12:55:330 3120 KLMD_ReadMem: Trying to ReadMemory 0x86118618[0x400]
1:12:55:330 3120 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
1:12:55:330 3120 Driver "atapi" Irp handler infected by TDSS rootkit ... 1:12:55:330 3120 KLMD_WriteMem: Trying to WriteMemory 0x8611867D[0xD]
1:12:55:330 3120 cured
1:12:55:330 3120 KLMD_ReadMem: Trying to ReadMemory 0x861184BF[0x400]
1:12:55:330 3120 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 0
1:12:55:330 3120 TDL3_FileDetect: Processing driver: atapi
1:12:55:330 3120 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\atapi.sys, C:\Windows\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
1:12:55:330 3120 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
1:12:55:330 3120 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
1:12:55:330 3120 File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 1:12:55:330 3120 TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys
1:12:55:330 3120 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
1:12:55:330 3120 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\Drivers\tsk_atapi.sys
1:12:55:377 3120 TDL3_FileCure: Image path (system32\Drivers\tsk_atapi.sys) was set for service (SYSTEM\CurrentControlSet\Services\atapi)
1:12:55:377 3120 TDL3_FileCure: KLMD_PendCopyFileW (C:\Windows\system32\Drivers\tsk_atapi.sys, C:\Windows\system32\drivers\atapi.sys) success
1:12:55:377 3120 will be cured on next reboot
1:12:55:377 3120 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 861F3580
1:12:55:377 3120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 861F3580
1:12:55:377 3120 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 86102918
1:12:55:377 3120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86102918
1:12:55:377 3120 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 86096908
1:12:55:377 3120 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86096908
1:12:55:377 3120 KLMD_ReadMem: Trying to ReadMemory 0x86096908[0x38]
1:12:55:377 3120 DetectCureTDL3: DRIVER_OBJECT addr: 86114DB8
1:12:55:377 3120 KLMD_ReadMem: Trying to ReadMemory 0x86114DB8[0xA8]
1:12:55:377 3120 KLMD_ReadMem: Trying to ReadMemory 0x861131E8[0x208]
1:12:55:377 3120 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
1:12:55:377 3120 DetectCureTDL3: IrpHandler (0) addr: 8537E1F8
1:12:55:377 3120 DetectCureTDL3: IrpHandler (1) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (2) addr: 8537E1F8
1:12:55:377 3120 DetectCureTDL3: IrpHandler (3) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (4) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (5) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (6) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (7) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (8) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (9) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (10) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (11) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (12) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (13) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (14) addr: 8B2A547C
1:12:55:377 3120 DetectCureTDL3: IrpHandler (15) addr: 8537E1F8
1:12:55:377 3120 DetectCureTDL3: IrpHandler (16) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (17) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (18) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (19) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (20) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (21) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (22) addr: 8537E1F8
1:12:55:377 3120 DetectCureTDL3: IrpHandler (23) addr: 8537E1F8
1:12:55:377 3120 DetectCureTDL3: IrpHandler (24) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (25) addr: 82AEB437
1:12:55:377 3120 DetectCureTDL3: IrpHandler (26) addr: 82AEB437
1:12:55:377 3120 KLMD_ReadMem: Trying to ReadMemory 0x861184BF[0x400]
1:12:55:377 3120 TDL3_StartIoHookDetect: CheckParameters: 7, FFDF0308, 334, 0
1:12:55:377 3120 TDL3_FileDetect: Processing driver: atapi
1:12:55:377 3120 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\tsk_atapi.sys, C:\Windows\system32\Drivers\tsk_tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_tsk_atapi.sys
1:12:55:377 3120 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\tsk_atapi.sys
1:12:55:377 3120 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\tsk_atapi.sys
1:12:55:377 3120
Completed

Results:
1:12:55:377 3120 Infected objects in memory: 2
1:12:55:377 3120 Cured objects in memory: 2
1:12:55:377 3120 Infected objects on disk: 1
1:12:55:377 3120 Objects on disk cured on reboot: 1
1:12:55:377 3120 Objects on disk deleted on reboot: 0
1:12:55:377 3120 Registry nodes deleted on reboot: 0
1:12:55:377 3120

Attached Files

•  OTS.Txt   268.25KB   415 downloads
•  TDSSKiller.txt   16.77KB   142 downloads

[Essexboy]

OTS and TDSS killer worked just fine A few more bits to go - How is the computer running now ?

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "LosAlamos" -> C:\Windows\System32\sshnas.DLL [rundll32.exe C:\Windows\system32\sshnas.dll,NvTaskbarInit]
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "LosAlamos" -> C:\Windows\System32\sshnas.DLL [rundll32.exe C:\Windows\system32\sshnas.dll,NvTaskbarInit]
[Files - No Company Name]
NY ->  inst.exe -> C:\Users\Χρήστος\AppData\Roaming\inst.exe
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

THEN

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[pspuser007]

Again while running the fix for the first time at OTS I got Range Check Error while "EmptyingRecycleBin".
After that, I ran again the fix and got this after the reboot:
All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LosAlamos deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LosAlamos not found.
[Files - No Company Name]
File C:\Users\Χρήστος\AppData\Roaming\inst.exe not found!
[Empty Temp Folders]


User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Χρήστος
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 183834 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 16387921 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 140 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 15,80 mb

< End of fix log >
OTS by OldTimer - Version 3.1.11.0 fix logfile created on 12192009_152543

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


This is the log from MBAM:
Malwarebytes' Anti-Malware 1.42
Database Version: 3392
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

19/12/2009 3:38:18 PM
mbam-log-2009-12-19 (15-38-18). txt

Scan type: Quick Scan
Items scanned: 151032
Time spent: 2 minute (s), 44 second (s)

Infected processes in memory: 0
Contaminated items in memory: 0
Contaminated keys in the registry: 0
Contaminated values in the registry: 0
Contaminated data objects in the registry: 0
Infected files: 0
Infected files: 0

Infected processes in memory:
(No malicious items detected)

Contaminated items in memory:
(No malicious items detected)

Contaminated keys in the registry:
(No malicious items detected)

Contaminated values in the registry:
(No malicious items detected)

Contaminated data objects in the registry:
(No malicious items detected)

Infected files:
(No malicious items detected)

Infected files:
(No malicious items detected)


The problems I face are:
* Connection problem, as said at previous post (But I believe it will be fixed when we "Clean Up" with OTS.)
* Sound Service Icon at tray problem.

Edited by pspuser007, 19 December 2009 - 07:44 AM.