Another one with click.Giftload problems

**Thunderbroom** · 2011-04-28, 21:39

Hi,

Not unlike several other people who have found their way here over the last few days click.Giftload is causing me problems.

Yesterday I cleared out a raft of infections with Malwarebytes etc. but although Spybot constantly identifies it and appears to remove it click.Giftload reappears on reboot and makes it presence known killing pretty much everything.

As per your instructions I've installed and run ERUNT and DDS, the details are below.

I hope you can help.

Thanks,

TB.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Thunderbroom at 17:49:24.81 on 28/04/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.399 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Silvercrest MTS2218 driver\StartAutorun.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Silvercrest MTS2218 driver\KMConfig.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Silvercrest MTS2218 driver\KMProcess.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Documents and Settings\Thunderbroom\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.yahoo.com
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo! UK & Ireland
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
mDefault_Page_URL = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\prxtbSof0.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101104235022.dll
BHO: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\prxtbSof0.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\prxtbSof0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [<NO NAME>]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KMCONFIG] c:\program files\silvercrest mts2218 driver\StartAutorun.exe KMConfig.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: WIKI.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\thunde~1\applic~1\mozilla\firefox\profiles\rqk1jqn9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Zynga Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.xperteleven.com/
FF - component: c:\documents and settings\thunderbroom\application data\mozilla\firefox\profiles\rqk1jqn9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\documents and settings\thunderbroom\application data\mozilla\firefox\profiles\rqk1jqn9.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\thunderbroom\application data\mozilla\firefox\profiles\rqk1jqn9.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: NASA Night Launch: nasanightlaunch@example.com - %profile%\extensions\nasanightlaunch@example.com
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: PopupMaster: {35106bca-6c78-48c7-ac28-56df30b51d2d} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2d}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} - %profile%\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Ext: AmbientFox: {c8f71e5b-88f8-42a7-98bb-e4c506161de9} - %profile%\extensions\{c8f71e5b-88f8-42a7-98bb-e4c506161de9}
FF - Ext: Chromifox Extreme Green: cfxegreen@Bocan - %profile%\extensions\cfxegreen@Bocan
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-10 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-10 84072]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-4 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-10 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-10 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-10 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-10 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-10 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-10 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-10 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-10 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-10 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-10 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-10 88544]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2008-11-8 19968]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-10 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-10 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-10 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-10 40552]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
.
=============== Created Last 30 ================
.
2011-04-27 20:06:49 -------- d-----w- c:\docume~1\thunde~1\applic~1\CAEEFCC2179CA786BEE36EF8CAEE9BE2
2011-04-26 13:36:09 -------- d-----w- c:\program files\MakeMKV
2011-04-26 11:50:51 -------- d-----w- c:\docume~1\thunde~1\applic~1\mkvtoolnix
2011-04-26 11:41:05 -------- d-----w- c:\program files\MKVtoolnix
.
==================== Find3M ====================
.
2011-04-27 20:22:57 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 17:53:50.17 ===============

**Blade81** · 2011-05-03, 15:45

Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read this thread.

Uninstall the programs listed above (in red).

**Thunderbroom** · 2011-05-03, 16:32

Hi thanks in advance for that. uTorrent has been removed and here is the new DDS file and attach.zip attached

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Peter Harte at 15:18:39.10 on 03/05/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.610 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated*

{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Silvercrest MTS2218 driver\StartAutorun.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Silvercrest MTS2218 driver\KMConfig.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Silvercrest MTS2218 driver\KMProcess.exe
C:\Documents and Settings\Peter Harte\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.yahoo.com
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo! UK & Ireland
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?

}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
mDefault_Page_URL = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} -

c:\program files\softonic_english\prxtbSof0.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program

files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} -

c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common

files\mcafee\systemcore\ScriptSn.20101104235022.dll
BHO: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program

files\softonic_english\prxtbSof0.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program

files\canon\easy-webprint\Toolband.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program

files\softonic_english\prxtbSof0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program

files\conduitengine\prxConduitEngine.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer

922\dlbtbmgr.exe"
mRun: [<NO NAME>]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KMCONFIG] c:\program files\silvercrest mts2218 driver\StartAutorun.exe KMConfig.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe"

-atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program

files\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -

hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} -

file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} -

hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} -

hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} -

hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} -

hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/

installer.exe
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} -

file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: WIKI.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\peterh~1\applic~1\mozilla\firefox\profiles\rqk1jqn9.default\
FF - prefs.js: browser.search.defaulturl -

hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Zynga Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.xperteleven.com/
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla

firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: NASA Night Launch: nasanightlaunch@example.com -

%profile%\extensions\nasanightlaunch@example.com
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} -

%profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} -

%profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} -

%profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} -

%profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: PopupMaster: {35106bca-6c78-48c7-ac28-56df30b51d2d} -

%profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2d}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} -

%profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} -

%profile%\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Ext: AmbientFox: {c8f71e5b-88f8-42a7-98bb-e4c506161de9} -

%profile%\extensions\{c8f71e5b-88f8-42a7-98bb-e4c506161de9}
FF - Ext: Chromifox Extreme Green: cfxegreen@Bocan - %profile%\extensions\cfxegreen@Bocan
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia -

%profile%\extensions\noia2_option@kk.noia
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} -

%profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program

files\mcafee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-10 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-10 84072]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe

[2008-5-12 611664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program

files\mcafee\siteadvisor\McSACore.exe [2008-10-4 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common

files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-10 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common

files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-10 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common

files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-10 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe

[2010-8-10 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common

files\mcafee\systemcore\mfefire.exe [2010-8-10 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common

files\mcafee\systemcore\mfevtps.exe [2010-8-10 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-10 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-10 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-10 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-10

313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-10 88544]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2008-11-8

19968]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative

centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys

[2010-8-10 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-10 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-10 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-10 40552]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
.
=============== Created Last 30 ================
.
2011-04-27 20:06:49 -------- d-----w-

c:\docume~1\peterh~1\applic~1\CAEEFCC2179CA786BEE36EF8CAEE9BE2
2011-04-26 13:36:09 -------- d-----w- c:\program files\MakeMKV
2011-04-26 11:50:51 -------- d-----w-

c:\docume~1\peterh~1\applic~1\mkvtoolnix
2011-04-26 11:41:05 -------- d-----w- c:\program files\MKVtoolnix
.
==================== Find3M ====================
.
2011-04-27 20:22:57 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
============= FINISH: 15:22:15.26 ===============

**Blade81** · 2011-05-03, 16:44

Hi,

To make further logs appear in more readable format please disable word wrap in notepad.

Download aswMBR to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply.

**Thunderbroom** · 2011-05-03, 17:05

Sorry about that. Word wrap turned off and here are the scan results.

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 15:49:33
-----------------------------
15:49:33.156 OS Version: Windows 5.1.2600 Service Pack 3
15:49:33.156 Number of processors: 2 586 0x304
15:49:33.156 ComputerName: HARTEPC1 UserName:
15:49:33.625 Initialize success
16:00:26.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:00:26.078 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
16:00:26.078 Disk 0 MBR read successfully
16:00:26.078 Disk 0 MBR scan
16:00:26.078 Disk 0 TDL4@MBR code has been found
16:00:26.078 Disk 0 MBR hidden
16:00:26.078 Disk 0 MBR [TDL4] **ROOTKIT**
16:00:26.078 Disk 0 trace - called modules:
16:00:26.078 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8741d730]<<
16:00:26.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87769030]
16:00:26.093 3 CLASSPNP.SYS[f7824fd7] -> nt!IofCallDriver -> [0x8776ad58]
16:00:26.093 \Driver\iaStor[0x87460b18] -> IRP_MJ_CREATE -> 0x8741d730
16:00:26.093 Scan finished successfully
16:01:10.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\MBR.dat"
16:01:10.750 The log file has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\aswMBR.txt"

**Blade81** · 2011-05-03, 17:10

Hi,

Re-Run aswMBR. Click Scan. On completion of the scan click the Fix for TDL4 button. Save the log as before, (reboot system if prompted to do so) and post the log in your next reply.

**Thunderbroom** · 2011-05-03, 17:35

Here you go.

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 15:49:33
-----------------------------
15:49:33.156 OS Version: Windows 5.1.2600 Service Pack 3
15:49:33.156 Number of processors: 2 586 0x304
15:49:33.156 ComputerName: HARTEPC1 UserName:
15:49:33.625 Initialize success
16:00:26.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:00:26.078 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
16:00:26.078 Disk 0 MBR read successfully
16:00:26.078 Disk 0 MBR scan
16:00:26.078 Disk 0 TDL4@MBR code has been found
16:00:26.078 Disk 0 MBR hidden
16:00:26.078 Disk 0 MBR [TDL4] **ROOTKIT**
16:00:26.078 Disk 0 trace - called modules:
16:00:26.078 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8741d730]<<
16:00:26.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87769030]
16:00:26.093 3 CLASSPNP.SYS[f7824fd7] -> nt!IofCallDriver -> [0x8776ad58]
16:00:26.093 \Driver\iaStor[0x87460b18] -> IRP_MJ_CREATE -> 0x8741d730
16:00:26.093 Scan finished successfully
16:01:10.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\MBR.dat"
16:01:10.750 The log file has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\aswMBR.txt"

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 16:27:09
-----------------------------
16:27:09.062 OS Version: Windows 5.1.2600 Service Pack 3
16:27:09.062 Number of processors: 2 586 0x304
16:27:09.062 ComputerName: HARTEPC1 UserName:
16:27:09.453 Initialize success
16:27:11.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:27:11.843 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
16:27:11.843 Disk 0 MBR read successfully
16:27:11.843 Disk 0 MBR scan
16:27:11.843 Disk 0 TDL4@MBR code has been found
16:27:11.843 Disk 0 MBR hidden
16:27:11.843 Disk 0 MBR [TDL4] **ROOTKIT**
16:27:11.843 Disk 0 trace - called modules:
16:27:11.843 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8741d730]<<
16:27:11.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87769030]
16:27:11.843 3 CLASSPNP.SYS[f7824fd7] -> nt!IofCallDriver -> [0x8776ad58]
16:27:11.859 \Driver\iaStor[0x87460b18] -> IRP_MJ_CREATE -> 0x8741d730
16:27:11.859 Scan finished successfully
16:27:16.359 Disk 0 fixing MBR
16:27:26.359 Disk 0 MBR restored successfully
16:27:26.359 Infection fixed successfully - please reboot ASAP
16:27:46.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\MBR.dat"
16:27:46.781 The log file has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\aswMBR.txt"

**Blade81** · 2011-05-03, 19:46

Hi,

Please post fresh aswMBR log after reboot.

**Thunderbroom** · 2011-05-03, 20:01

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 15:49:33
-----------------------------
15:49:33.156 OS Version: Windows 5.1.2600 Service Pack 3
15:49:33.156 Number of processors: 2 586 0x304
15:49:33.156 ComputerName: HARTEPC1 UserName:
15:49:33.625 Initialize success
16:00:26.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:00:26.078 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
16:00:26.078 Disk 0 MBR read successfully
16:00:26.078 Disk 0 MBR scan
16:00:26.078 Disk 0 TDL4@MBR code has been found
16:00:26.078 Disk 0 MBR hidden
16:00:26.078 Disk 0 MBR [TDL4] **ROOTKIT**
16:00:26.078 Disk 0 trace - called modules:
16:00:26.078 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8741d730]<<
16:00:26.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87769030]
16:00:26.093 3 CLASSPNP.SYS[f7824fd7] -> nt!IofCallDriver -> [0x8776ad58]
16:00:26.093 \Driver\iaStor[0x87460b18] -> IRP_MJ_CREATE -> 0x8741d730
16:00:26.093 Scan finished successfully
16:01:10.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\MBR.dat"
16:01:10.750 The log file has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\aswMBR.txt"

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 16:27:09
-----------------------------
16:27:09.062 OS Version: Windows 5.1.2600 Service Pack 3
16:27:09.062 Number of processors: 2 586 0x304
16:27:09.062 ComputerName: HARTEPC1 UserName:
16:27:09.453 Initialize success
16:27:11.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:27:11.843 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
16:27:11.843 Disk 0 MBR read successfully
16:27:11.843 Disk 0 MBR scan
16:27:11.843 Disk 0 TDL4@MBR code has been found
16:27:11.843 Disk 0 MBR hidden
16:27:11.843 Disk 0 MBR [TDL4] **ROOTKIT**
16:27:11.843 Disk 0 trace - called modules:
16:27:11.843 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8741d730]<<
16:27:11.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87769030]
16:27:11.843 3 CLASSPNP.SYS[f7824fd7] -> nt!IofCallDriver -> [0x8776ad58]
16:27:11.859 \Driver\iaStor[0x87460b18] -> IRP_MJ_CREATE -> 0x8741d730
16:27:11.859 Scan finished successfully
16:27:16.359 Disk 0 fixing MBR
16:27:26.359 Disk 0 MBR restored successfully
16:27:26.359 Infection fixed successfully - please reboot ASAP
16:27:46.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\MBR.dat"
16:27:46.781 The log file has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\aswMBR.txt"

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 18:58:49
-----------------------------
18:58:49.734 OS Version: Windows 5.1.2600 Service Pack 3
18:58:49.734 Number of processors: 2 586 0x304
18:58:49.734 ComputerName: HARTEPC1 UserName:
18:58:50.671 Initialize success
18:58:57.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
18:58:57.171 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
18:58:57.171 Disk 0 MBR read successfully
18:58:57.171 Disk 0 MBR scan
18:58:57.171 Disk 0 TDL4@MBR code has been found
18:58:57.171 Disk 0 MBR hidden
18:58:57.171 Disk 0 MBR [TDL4] **ROOTKIT**
18:58:57.171 Disk 0 trace - called modules:
18:58:57.171 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8742c730]<<
18:58:57.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87767030]
18:58:57.171 3 CLASSPNP.SYS[f7864fd7] -> nt!IofCallDriver -> [0x8746faa0]
18:58:57.171 \Driver\iaStor[0x87467aa0] -> IRP_MJ_CREATE -> 0x8742c730
18:58:57.187 Scan finished successfully
18:59:13.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\MBR.dat"
18:59:13.312 The log file has been saved successfully to "C:\Documents and Settings\Peter Harte\Desktop\aswMBR.txt"

**Blade81** · 2011-05-03, 20:08

Hi,

It's important the system is rebooted right after you see this line there: " Infection fixed successfully - please reboot ASAP"

So, run the scan again, select Fix for TDL4 and then reboot when you see that line above not sooner.

Thread: Another one with click.Giftload problems

Thread Tools

Display

Another one with click.Giftload problems

Posting Permissions