TDSS/ Virus

---- / ----
January 24, 2009 at 10:22:30
Specs: Windows XP SP3, 960MB RAM
I'm currently trying to fix a computer that has recieved the "" virus. So far I have managed to disable the google result redirection by disabling the TDSS component in hardware management. But this has left the problem of not being able to remove the TDSS registry or files. I've found a few and deleted them but the rest seem to be invisible. When I try to regedit I am denied access when I attempt to edit or delete some TDSS keys and I have to rename nearly every single antivirus I run to work. But although I've downloaded malwarebytes, xoftspy and avg... All of them failed to remove the virus even after running them in safe mode.

Since it was a while before I was permitted to fix the virus, I figure that any longer could cause the virus to become less and less removable. I've searched the whole PC for TDSS but nothing turned up. Maybe these files are hidden? The virus doesn't let me do alot of things and when I run Security TaskManager, it just doesn't appear without safe mode... So I'm unable to stop the proccesses that seems suspicous.

In terms of processes, there are no actual new processes running, but instead old ones have been infected. spoolsv.exe (Printer Spooler) has denied access. cmdagent.exe is denied too but maybe that's the comodo firewall process...

Help is truly appreciated because apart from downloading ever single anti-virus and performing scans, I can't think of how else I can get rid of this nightmare!

See More: TDSS/ Virus

Report •

January 24, 2009 at 11:07:41
Disabling the tdss.sys driver is not the reason you can't delete all the entries.

Please run the following scan and post its log.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Report •

January 24, 2009 at 11:17:54
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:13:58, on 24/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Security Task Manager\ss46ergf.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\User\My Documents\Jack.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskManager] C:\Program Files\Security Task Manager\ss46ergf.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1644491937-413027322-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A62CE6FF-C8BC-4950-B1B1-D7E6ED35AF1E}: NameServer =
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,C:\WINDOWS\system32\cssdll32.dll,avgrsstx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

End of file - 6060 bytes

Report •

January 24, 2009 at 12:26:17

I see you have two antivirus programs running AVG and Avast, You need to decide which one you like most and uninstall the other as they will conflict and cause you problems.

Please download ComboFix to the desktop from one of the following links:


Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG/Avast antivirus, Comodo and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Report •

Related Solutions

January 25, 2009 at 09:21:47
AVG couldn't be disabled since the virus blocked my abillity to toggle the resident shield and comodo asked for a password which I did not know since it aint my computer, so I decided to boot into safe mode which stopped them all but even though no avg proccesses were running, the ComboFix said it was open...

I continued, and it did the rest well. In fact I started back up into normal mode and all the blocked programs are running again and I am able to open up avg.

So here's the log...

ComboFix 09-01-21.04 - Administrator 2009-01-25 16:53:46.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.801 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\toolb.exe
AV: avast! antivirus 4.8.1296 [VPS 090125-0] *On-access scanning disabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))

2009-01-24 18:43 . 2009-01-24 18:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-24 18:42 . 2009-01-24 18:42 <DIR> d-------- c:\program files\Java
2009-01-23 23:15 . 2009-01-24 02:35 <DIR> d-------- c:\program files\Exterminate It!
2009-01-23 02:12 . 2009-01-23 02:12 <DIR> d----c--- c:\documents and settings\User\Application Data\Malwarebytes
2009-01-21 15:05 . 2009-01-21 15:05 35,262 --a------ c:\windows\Administrator.acl
2009-01-20 21:32 . 2009-01-24 02:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 21:32 . 2009-01-20 21:32 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 21:32 . 2009-01-20 21:32 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-20 21:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 21:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 22:09 . 2009-01-24 12:15 <DIR> d--h-c--- C:\$AVG8.VAULT$
2009-01-19 21:20 . 2009-01-24 09:33 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-19 21:20 . 2009-01-19 21:20 <DIR> d-------- c:\program files\AVG
2009-01-19 21:20 . 2009-01-19 21:20 <DIR> d----c--- c:\documents and settings\All Users\Application Data\avg8
2009-01-19 21:20 . 2009-01-19 21:20 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-19 21:20 . 2009-01-19 21:20 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-19 19:30 . 2009-01-24 12:44 <DIR> d-------- c:\program files\Security Task Manager
2009-01-19 19:30 . 2009-01-25 16:15 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-01-19 11:09 . 2009-01-19 11:09 <DIR> d----c--- c:\documents and settings\Administrator
2009-01-18 22:03 . 2009-01-18 22:03 699 --a------ c:\windows\wininit.ini
2009-01-08 21:57 . 2009-01-08 21:57 0 --a------ c:\windows\nsreg.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-01-25 16:49 --------- dc----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-24 02:51 --------- d-----w c:\program files\XoftSpySE
2009-01-19 23:33 --------- dc----w c:\documents and settings\User\Application Data\LimeWire
2009-01-19 10:47 --------- d-----w c:\program files\Google
2009-01-18 22:05 --------- d-----w c:\program files\Yahoo!
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 09:07 101,776 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-11-28 17:00 --------- d-----w c:\program files\Innovative Solutions
2008-11-28 16:57 --------- dc----w c:\documents and settings\User\Application Data\Auslogics
2008-11-28 16:57 --------- d-----w c:\program files\Auslogics
2008-11-28 16:52 --------- d-----w c:\program files\CCleaner
2008-11-25 21:42 --------- dc----w c:\documents and settings\User\Application Data\Download Manager
2008-10-22 14:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102220081023\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-19 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-24 136600]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-11-26 17:18 81000 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
--a------ 2008-12-07 09:07 1797880 c:\program files\COMODO\Firewall\cfp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
--a------ 2008-12-07 09:07 1797880 c:\program files\COMODO\Firewall\cfp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO SafeSurf]
--a------ 2008-11-01 17:20 278264 c:\program files\COMODO\SafeSurf\cssurf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a------ 2004-01-14 01:10 409600 c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 08:50 204800 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-10 12:25 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-10-10 12:25 118784 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2008-04-14 00:12 169984 c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 11:45 75304 c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6600DMon]
--a------ 2005-05-25 08:35 69632 c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-07-15 00:07 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
--a------ 2002-07-12 17:15 106496 c:\windows\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 10:38 866816 c:\program files\Thomson\SpeedTouch USB\dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 12:16 185896 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a------ 2004-06-03 08:51 172032 c:\program files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
--a------ 2006-09-20 07:35 20480 c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]


S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-05 111184]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-19 97928]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-11-01 101776]
S1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-11-01 31504]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2007-08-16 20160]
S4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-05 20560]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-19 231704]
S4 PctrlsInjectService;PctrlsInjectService; [x]
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-24 20:05]

2009-01-25 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe []

2009-01-24 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe []
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-nod32kui - c:\program files\Eset\nod32kui.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl

------- Supplementary Scan -------
uSearchMigratedDefaultURL = hxxp://{searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://
mStart Page = hxxp://
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ffn7pze6.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("", "moz3");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("", "moz3");


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-01-25 16:57:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2009-01-25 16:59:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-25 16:59:43

Pre-Run: 10,977,345,536 bytes free
Post-Run: 10,995,286,016 bytes free

172 --- E O F --- 2009-01-18 22:22:02

Report •

January 25, 2009 at 17:39:07
Whewww, could have crashed the computer running Combofix with those programs running, I can't tell what Combofix deleted but it deleted something.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Report •

February 11, 2009 at 07:25:15
"Program is starting. Please wait...
Update source selected:
Downloading file: packages/kos-extras.jar
Program has started.

Program database is being updated. Please wait...
Update source selected:
Downloading file: index/master.xml.klz

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Scan has failed to start. 0x80004005]]"

Blocked by the virus, maybe?

I've just also noticed that in the device manager the drivers for avast have something wrong with them. There are also other weird things showing up such as 'catchme' but I am not sure whether that is relevant...

Report •

February 11, 2009 at 09:58:02
Hold on! I think it's gone?

Either that or the computer is REALLY broke and the virus is hidden forever...

But all registry entries are gone, AVG is popping up finding tracking cookies as usual. AVG won't update but that's only because of some changes being made by the creators of AVG and it will scan and let me access properly!


When I download something and try to run it, it won't run. But it will save, then run... Good?

Report •

February 12, 2009 at 04:28:14
Ahh, it's the Comodo Firewall blocking AVG Updates and Scans. So I think the virus is completely gone...

It could've also been the firewall blocking the online scanner. And to think, the virus would've been gone alot faster if it wasn't for the firewall :D


Report •

Ask Question