Results 1 to 10 of 14

Thread: Click.GiftLoad Removal Help!

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Unhappy Click.GiftLoad Removal Help!

    Hello

    I know I'm new to the forum but please help! Recently i keep getting redirected when i search things on google, get fake virus reports, and my sound suddenly stops working. In general my computer is a lot slower and i have to remove the Click.GiftLoad on spybot everyday to get my computer to run normally (but it won't stop appearing!) In my task manager there are also multiple svchost.exe processes running. I have run system restore a couple of times but it hasn't done anything. Please help

    Thanks,
    Alison

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Alison at 16:33:34.20 on Fri 03/18/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.92 [GMT -4:00]
    .
    FW: McAfee Personal Firewall Plus *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Pen_Tablet.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
    C:\WINDOWS\system32\Pen_Tablet.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\stsystra.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Alison\My Documents\Downloads\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.dell4me.com/mywaybiz
    uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
    uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DS
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application

    data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\documents and settings\alison\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
    mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
    mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\alison\applic~1\mozilla\firefox\profiles\qvtibfxe.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-

    us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - youtube.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-

    us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010&query=
    FF - plugin: c:\documents and settings\alison\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application

    data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: AOL Messaging Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2005-8-16 83325]
    R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2005-8-16 122880]
    R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-12-13 1373480]
    R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-8-16 225375]
    R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-8-16 23296]
    S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-8-16 249856]
    .
    =============== Created Last 30 ================
    .
    2011-03-18 20:26:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-18 20:26:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-18 20:26:53 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-03-18 20:17:35 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2011-03-18 20:17:34 -------- d-----w- c:\program files\SpywareBlaster
    2011-03-18 20:00:10 -------- d-----w- c:\docume~1\alison\locals~1\applic~1\AIM Toolbar
    2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    ==================== Find3M ====================
    .
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD80 rev.09.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81C45439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x81c4b7d0]; MOV EAX, [0x81c4b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX,

    [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x82570AB8]
    3 CLASSPNP[0xF86A805B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x81BC2030]
    \Driver\iastor[0x81C623D0] -> IRP_MJ_CREATE -> 0x81C45439
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c;

    RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

    device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 156249998 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
    .
    ============= FINISH: 16:35:54.80 ===============

  2. #2
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi alison210,


    Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
    • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


    Please follow these steps in order:


    Step 1 | Please download aswMBR to your desktop.

    • Double click the aswMBR icon to run it.
      Vista and Windows 7 users right click the icon and choose "Run as administrator".
    • Click the Scan button to start scan.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


    Step 2 | Please download GMER from one of the following locations and save it to your desktop:

    Main Mirror - This version will download a randomly named file (Recommended)
    Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

    --------------------------------------------------------------------

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


    Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.



    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Make sure all options are checked except:
      • IAT/EAT
      • Drives/Partition other than Systemdrive, which is typically C:\
      • Show All (This is important, so do not miss it.)



    Click the image to enlarge it

    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.

    -- If you encounter any problems, try running GMER in Safe Mode.


    Step 3 | Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A window will open on your desktop
    • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
    • Please post the contents of that file.

  3. #3
    Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Smile

    Thank you for replying so quickly :D
    Here is what you requested:

    aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-03-18 20:38:49
    -----------------------------
    20:38:49.158 OS Version: Windows 5.1.2600 Service Pack 2
    20:38:49.158 Number of processors: 2 586 0x407
    20:38:49.174 ComputerName: D164L581 UserName: Alison
    20:38:52.815 Initialize success
    20:39:05.643 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
    20:39:05.643 Disk 0 Vendor: WDC_WD80 09.0 Size: 76293MB BusType: 3
    20:39:05.643 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
    20:39:05.674 Disk 0 MBR read successfully
    20:39:05.674 Disk 0 MBR scan
    20:39:05.674 Disk 0 TDL4@MBR code has been found
    20:39:05.674 Disk 0 MBR hidden
    20:39:05.690 Disk 0 MBR [TDL4] **ROOTKIT**
    20:39:05.690 Disk 0 trace - called modules:
    20:39:05.705 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81c49439]<<
    20:39:05.705 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82587030]
    20:39:05.705 3 CLASSPNP.SYS[f86a805b] -> nt!IofCallDriver -> [0x81bc3030]
    20:39:05.721 \Driver\iastor[0x81c46f38] -> IRP_MJ_CREATE -> 0x81c49439
    20:39:05.721 Scan finished successfully


    GMER 1.0.15.15565 - http://www.gmer.net
    Rootkit scan 2011-03-18 21:11:53
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD80 rev.09.0
    Running: zrh9kkod.exe; Driver: C:\DOCUME~1\Alison\LOCALS~1\Temp\pfdyapob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\Alison\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\stsystra.exe[140] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00FF5C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe[148] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01775C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\program files\real\realplayer\update\realsched.exe[164] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
    .text C:\program files\real\realplayer\update\realsched.exe[164] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\Dell Support\DSAgnt.exe[240] ws2_32.dll!connect 71AB406A 5 Bytes JMP 011E5C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[248] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\WINDOWS\system32\ctfmon.exe[304] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\America Online 9.0\aoltray.exe[408] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A
    .text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BB000C
    .text C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe[1976] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01205C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\WINDOWS\system32\Rundll32.exe[1984] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[2000] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2016] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text C:\PROGRA~1\mcafee.com\agent\mcagent.exe[2032] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01565C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
    .text ...
    .text C:\WINDOWS\System32\svchost.exe[3624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
    .text C:\WINDOWS\System32\svchost.exe[3624] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B9000A
    .text C:\WINDOWS\System32\svchost.exe[3624] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
    .text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!GetForegroundWindow 77D4C4AE 5 Bytes JMP 015A000A
    .text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0158000A
    .text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!WindowFromPoint 77D4C57E 5 Bytes JMP 0159000A
    .text C:\WINDOWS\System32\svchost.exe[3624] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00C9000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3756] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4028] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs NaiFiltr.sys
    AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
    AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
    AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
    AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
    AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat NaiFiltr.sys

    Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 113):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E2000 \WINDOWS\system32\hal.dll
    0x81C08000 \WINDOWS\system32\KDCOM.DLL
    0xF8A7B000 \WINDOWS\system32\BOOTVID.dll
    0xF8538000 ACPI.sys
    0xF8B67000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF8527000 pci.sys
    0xF8667000 isapnp.sys
    0xF8C2F000 pciide.sys
    0xF88E7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF8677000 MountMgr.sys
    0xF8508000 ftdisk.sys
    0xF88EF000 PartMgr.sys
    0xF8687000 VolSnap.sys
    0xF84F0000 atapi.sys
    0xF841B000 iastor.sys
    0xF8697000 disk.sys
    0xF86A7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF83FC000 fltMgr.sys
    0xF83EA000 sr.sys
    0xF83D3000 KSecDD.sys
    0xF8346000 Ntfs.sys
    0xF8319000 NDIS.sys
    0xF82FE000 Mup.sys
    0xF8747000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF78F6000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF78E2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF78BC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF8967000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF7899000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF896F000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7873000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xF8757000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF8767000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF7850000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF8977000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF8BA7000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
    0xF8777000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF897F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF8BA9000 \SystemRoot\system32\DRIVERS\WacomVKHid.sys
    0xF8CCA000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF8787000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7DF8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF7839000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF8797000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF87A7000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF8987000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF7828000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF87B7000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF898F000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF8997000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF899F000 \SystemRoot\system32\DRIVERS\wanatw4.sys
    0xF87C7000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF89A7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF89AF000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF8BAB000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF77F4000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7DEC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF89B7000 \SystemRoot\system32\DRIVERS\omci.sys
    0xF7DE8000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF89BF000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
    0xF7DE4000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF87D7000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xEF239000 \SystemRoot\system32\drivers\sthda.sys
    0xEF217000 \SystemRoot\system32\drivers\portcls.sys
    0xF7A4B000 \SystemRoot\system32\drivers\drmk.sys
    0xF7A3B000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF8BB5000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF8C0B000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF8C0D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xEC532000 \SystemRoot\System32\Drivers\Null.SYS
    0xF8C0F000 \SystemRoot\System32\Drivers\Beep.SYS
    0xED120000 \SystemRoot\System32\drivers\vga.sys
    0xF8C11000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF8C13000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xED118000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xED110000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xEEBF0000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xBA71D000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xBA6C5000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xBA6B1000 \SystemRoot\System32\Drivers\MpFirewall.sys
    0xBA690000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xECE38000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xBA668000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xBA646000 \SystemRoot\System32\drivers\afd.sys
    0xECE28000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA61B000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xBA5AC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xECA9F000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF8B5F000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF88B7000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB889C000 \SystemRoot\System32\Drivers\dump_iastor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xEC928000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF8A47000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF8CDD000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF04E000 \SystemRoot\System32\ati2cqag.dll
    0xBF080000 \SystemRoot\System32\atikvmag.dll
    0xBF0B2000 \SystemRoot\System32\ati3duag.dll
    0xBF2E6000 \SystemRoot\System32\ativvaxx.dll
    0xB777F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB4C05000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEBDFF000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB4A00000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB3C31000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB35D8000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB3709000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
    0xF891F000 \SystemRoot\system32\DRIVERS\NaiFiltr.sys
    0xB3480000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB3366000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 53):
    0 System Idle Process
    4 System
    572 C:\WINDOWS\system32\smss.exe
    620 csrss.exe
    644 C:\WINDOWS\system32\winlogon.exe
    692 C:\WINDOWS\system32\services.exe
    704 C:\WINDOWS\system32\lsass.exe
    868 C:\WINDOWS\system32\ati2evxx.exe
    908 C:\WINDOWS\system32\svchost.exe
    1000 svchost.exe
    1116 C:\WINDOWS\system32\svchost.exe
    1232 svchost.exe
    1388 svchost.exe
    1536 C:\WINDOWS\system32\spoolsv.exe
    1760 C:\WINDOWS\explorer.exe
    1868 svchost.exe
    1924 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1956 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    1972 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    1988 C:\WINDOWS\system32\rundll32.exe
    2004 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    2032 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    140 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    160 C:\WINDOWS\stsystra.exe
    176 C:\PROGRA~1\McAfee.com\VSO\mcvsshld.exe
    196 C:\Program Files\real\realplayer\Update\realsched.exe
    248 C:\Program Files\iTunes\iTunesHelper.exe
    256 C:\Program Files\Dell Support\DSAgnt.exe
    264 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    276 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    372 C:\WINDOWS\system32\ctfmon.exe
    384 C:\Program Files\America Online 9.0\aoltray.exe
    496 C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
    1604 C:\Program Files\Bonjour\mDNSResponder.exe
    2000 C:\WINDOWS\system32\CTSVCCDA.EXE
    2076 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    2148 C:\Program Files\Java\jre6\bin\jqs.exe
    2264 C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
    2368 C:\WINDOWS\system32\HPZipm12.exe
    2408 C:\WINDOWS\system32\svchost.exe
    2524 C:\WINDOWS\system32\Pen_Tablet.exe
    2556 wdfmgr.exe
    2616 C:\WINDOWS\system32\MsPMSPSv.exe
    2676 C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
    2708 C:\WINDOWS\system32\Pen_Tablet.exe
    2940 C:\WINDOWS\system32\wuauclt.exe
    3256 C:\Program Files\iPod\bin\iPodService.exe
    3496 C:\PROGRA~1\McAfee.com\VSO\McShield.exe
    3544 C:\WINDOWS\system32\wscntfy.exe
    3920 alg.exe
    1216 C:\Program Files\Mozilla Firefox\firefox.exe
    3756 C:\WINDOWS\system32\wuauclt.exe
    1088 C:\Documents and Settings\Alison\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800JD-75LSA0, Rev: 09.01D09

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: E66C176942DF42CCFE7A0113EAFF39E82F8B0047


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!

  4. #4
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Alison,


    Please follow these steps in order:


    Step 1 | Please double click the aswMBR icon to run it.
    Vista and Windows 7 users right click the icon and choose "Run as administrator".

    • Click the Scan button to start scan.
    • When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.



    Click the image to enlarge it


    Step 2 | Please run DDS and post a new log.
    Last edited by Blottedisk; 2011-03-19 at 20:06.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  5. #5
    Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Talking

    Hi blottedisk :D

    Thanks again for being so speedy. I don't know if you need the attachment so I didn't attach it. Any how here are the logs:

    aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-03-19 19:56:00
    -----------------------------
    19:56:00.202 OS Version: Windows 5.1.2600 Service Pack 2
    19:56:00.202 Number of processors: 2 586 0x407
    19:56:00.202 ComputerName: D164L581 UserName: Alison
    19:56:03.015 Initialize success
    19:56:20.936 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
    19:56:20.952 Disk 0 Vendor: WDC_WD80 09.0 Size: 76293MB BusType: 3
    19:56:20.952 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
    19:56:20.952 Disk 0 MBR read successfully
    19:56:20.952 Disk 0 MBR scan
    19:56:20.968 Disk 0 TDL4@MBR code has been found
    19:56:20.968 Disk 0 MBR hidden
    19:56:20.968 Disk 0 MBR [TDL4] **ROOTKIT**
    19:56:20.983 Disk 0 trace - called modules:
    19:56:20.983 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81c51439]<<
    19:56:20.999 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82575030]
    19:56:20.999 3 CLASSPNP.SYS[f86a805b] -> nt!IofCallDriver -> [0x825d91d8]
    19:56:20.999 \Driver\iastor[0x82574598] -> IRP_MJ_CREATE -> 0x81c51439
    19:56:21.015 Scan finished successfully
    19:56:31.858 Disk 0 fixing MBR
    19:56:41.890 Disk 0 MBR restored successfully
    19:56:41.890 Infection fixed successfully - please reboot ASAP

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Alison at 20:04:20.14 on Sat 03/19/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.118 [GMT -4:00]
    .
    FW: McAfee Personal Firewall Plus *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\stsystra.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\program files\real\realplayer\update\realsched.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Pen_Tablet.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
    C:\WINDOWS\system32\Pen_Tablet.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Documents and Settings\Alison\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.dell4me.com/mywaybiz
    uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
    uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DS
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\documents and settings\alison\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
    mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
    mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\alison\applic~1\mozilla\firefox\profiles\qvtibfxe.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - youtube.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010&query=
    FF - component: c:\documents and settings\alison\application data\mozilla\firefox\profiles\qvtibfxe.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\documents and settings\alison\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: AOL Messaging Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2005-8-16 83325]
    R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2005-8-16 122880]
    R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-12-13 1373480]
    R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-8-16 225375]
    R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-8-16 23296]
    S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-8-16 249856]
    .
    =============== Created Last 30 ================
    .
    2011-03-18 20:26:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-18 20:26:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-18 20:26:53 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-03-18 20:17:35 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2011-03-18 20:17:34 -------- d-----w- c:\program files\SpywareBlaster
    2011-03-18 20:00:10 -------- d-----w- c:\docume~1\alison\locals~1\applic~1\AIM Toolbar
    2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 20:05:28.53 ===============

  6. #6
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Alice


    Please visit the following and have a look how you can disable your security software (Spybot's S&D Teatimer and McAfee).

    How to disable your security programs

    After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

    Link 1
    Link 2

    --------------------------------------------------------------------

    • Double click on Combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  7. #7
    Junior Member
    Join Date
    Mar 2011
    Posts
    7

    Red face

    Hello Blottedisk

    I don't know if I did something wrong but ComboFix won't run properly for me. The first time I ran it:
    1. Security Warning popped up and I clicked "Run"
    2. The screen where is says "ComboFix is preparing to run" did not come up.
    3. Instead it went directly to the Disclaimer where i clicked "Yes"
    4. Afterwards the blue screen comes up but there is just an "_" dissapearing and reappearing.

    I have tried leaving the screen there for over 30 minutes but nothing happens and I can't close the screen either. I have also tried downloading from the other link and running it but I had the same results. I don't know what to do!

    Perplexed,
    Alison

  8. #8
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi Alison,


    Don't worry about Combofix for now. Before we continue with this, one word of caution. Unfortunately your computer appears to have been infected by a backdoor infection. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

    • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other
      site you use.
    • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
    • Consider what other private information could possibly have been taken from your computer and take appropriate steps


    This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the
    system partition and reinstalling Windows as this is the only 100% sure answer.You should not be following fixes in another threads as those fixes are specifically for those computers.

    Please read these for more information:

    How Do I Handle Possible
    Identify Theft, Internet Fraud and CC Fraud?


    When Should I Format, How
    Should I Reinstall?



    Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


    Please download TDSSKiller from one of the following mirrors and save it in your desktop:

    This is THE Mirror

    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.




    • If a suspicious file is detected, the default action will be Skip, click on Continue.




    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.




    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "[TDSSKiller.Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •