View Full Version : Click. GiftLoad problem
Hi there.
I have been having issues with my pc recently. I have run spybot search and destroy several times and each time I run it it shows that the malware detected was Click.GiftLoad. I always click fix the selected problem and it says it has been removed but everytime I run Spybot S & D it appears detected again.
This malware has been affecting my computer by redirecting web searches to random websites and has also caused my pc to crash (show a blue screen and shuts down).
I have also run malwarebytes and ad-aware in conjunction with spybot search and destroy in an attempt to rid myself of this malware but neither of the other programs even detected it. I am very concerned about how this is affecting my pc. I really hope I can fix this malware problem with some guidance. Any help would be greatly appreciated!
Maria
I have already backed up my system using ERUNT.
Here are the results from running DDS:(I have also attached a zip version)
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Maria at 23:23:07.35 on 21/03/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2938.1313 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\RtkAudioService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Sony\VAIO Care\collsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\VAIO Care\VCsystray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Maria\Downloads\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10m_Plugin.exe -update plugin
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [VAIOSurvey] "c:\program files\sony\vaio survey\VAIO Sat Survey.exe"
mRun: [VWLASU] "c:\program files\sony\vaio wireless wizard\AutoLaunchWLASU.exe"
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [Unattend0000000001{09E44ACC-0BA1-40AD-B317-633F3BA72823}] %PROGRAMFILES%\Sony\First Experience\VAIOWelcome.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\maria\appdata\roaming\mozilla\firefox\profiles\yq9jh8vz.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-13 64512]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-9 1405384]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 RtkAudioService;Realtek Audio Service;c:\windows\RTKAUDIOSERVICE.EXE [2008-10-29 104992]
R2 SampleCollector;Intel(R) Sample Collector;c:\program files\sony\vaio care\collsvc.exe [2008-11-15 122880]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-8-1 1153368]
R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-i visual effects 2\uCamMonitor.exe [2008-11-15 104960]
R2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2008-10-29 415584]
R2 VCFw;VAIO Content Folder Watcher;c:\program files\common files\sony shared\vaio content folder watcher\VCFw.exe [2008-9-3 446464]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2008-11-15 17920]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-9 15232]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-8-29 3664384]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-10-29 9344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Partner Service;Partner Service;c:\programdata\partner\partner.exe [2008-11-15 110576]
S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\sony\vaio media plus\SOHCImp.exe [2008-11-15 103712]
S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\sony\vaio media plus\SOHDms.exe [2008-11-15 353568]
S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\sony\vaio media plus\SOHDs.exe [2008-11-15 62752]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2008-11-15 337184]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2008-11-15 83232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-20 18:50:01 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-03-20 18:50:01 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-03-20 18:48:56 -------- d-----w- c:\users\maria\appdata\roaming\Research In Motion
2011-03-20 18:48:56 -------- d-----w- c:\users\maria\appdata\local\Research In Motion
2011-03-20 18:48:26 27136 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2011-03-20 18:47:52 -------- d-----w- c:\progra~2\Research In Motion
2011-03-20 18:47:41 -------- d-----w- c:\program files\Research In Motion
2011-03-20 18:47:41 -------- d-----w- c:\program files\common files\Research In Motion
2011-03-18 02:29:19 -------- d-----w- c:\users\maria\appdata\roaming\Malwarebytes
2011-03-18 02:29:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-18 02:29:09 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-18 02:29:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-18 02:29:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-14 00:14:31 -------- d-----w- c:\users\maria\appdata\local\Kobo
2011-03-14 00:13:38 -------- d-----w- c:\program files\Kobo
2011-03-13 21:57:04 -------- d-----w- c:\users\maria\appdata\roaming\Auslogics
2011-03-13 21:33:10 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-13 21:33:05 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-13 21:27:47 -------- dc-h--w- c:\progra~2\{78A29A4D-35CE-4C46-9AC9-2692EE35F0BE}
2011-03-13 21:11:16 6260088 ----a-w- c:\program files\common files\windows live\.cache\2dcf0f401cbe1c307\Silverlight.4.0.exe
2011-03-13 21:07:18 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{0476e877-b84c-493e-9467-5cb7276f15f3}\mpengine.dll
2011-03-09 21:13:27 -------- d--h--w- C:\$AVG
2011-03-09 20:30:16 -------- d--h--w- c:\progra~2\Common Files
2011-03-09 20:28:48 -------- d-----w- c:\progra~2\AVG10
2011-03-09 20:08:18 -------- d-----w- c:\program files\AVG
2011-03-09 20:02:07 -------- d-----w- c:\progra~2\MFAData
2011-03-07 00:42:46 -------- d-----w- c:\users\maria\appdata\local\Windows Live
2011-03-07 00:39:24 -------- d-----w- c:\users\maria\appdata\local\Sunbelt Software
2011-03-07 00:38:47 -------- dc-h--w- c:\progra~2\{A5847AFF-A1FE-4929-A3C0-16C23AB1D29D}
2011-03-07 00:11:33 -------- d-----w- c:\program files\iPod(264)
2011-03-07 00:11:31 -------- d-----w- c:\program files\iTunes(265)
2011-03-07 00:08:44 -------- d-----w- c:\program files\Bonjour(40)
2011-03-07 00:05:03 -------- d-----w- c:\program files\QuickTime(308)
2011-02-23 04:24:45 -------- d-----w- c:\users\maria\appdata\roaming\FrostWire
.
==================== Find3M ====================
.
2011-03-09 07:47:47 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: FUJITSU_ rev.0041 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskFUJITSU_MHZ2250BH_G1____________________00410009#4&343231c1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
.
============= FINISH: 23:29:26.04 ===============
Blottedisk
2011-03-22, 15:35
Hi mmunoz,
Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.
Please follow these steps in order:
Step 1 | Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.
Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it
Step 2 | Please download Rootkit Unhooker (RKU) from one of the following mirrors and save it to your desktop:
Link #1 (.exe file - recommended) (http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE )
Link #2 (.zipped file) (http://www.kernelmode.info/ARKs/RKUnhookerLE.zip )
--------------------------------------------------------------------
Right click on RKUnhookerLE and select "Run as administrator" to run it
Click the Report tab, then click Scan
Check Drivers, Stealth and uncheck the rest
Click OK
Wait until it's finished and then go to File > Save Report
Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.
Note - You may get this warning... just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"
Step 3 | Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe ) to your desktop.
Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.
Step 1:
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-22 20:46:33
-----------------------------
20:46:33.764 OS Version: Windows 6.0.6002 Service Pack 2
20:46:33.764 Number of processors: 2 586 0x170A
20:46:33.764 ComputerName: MARIA-LAPTOP UserName: Maria
20:46:35.511 Initialize success
20:46:55.573 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
20:46:55.573 Disk 0 Vendor: FUJITSU_ 0041 Size: 238475MB BusType: 3
20:46:55.573 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000063
20:46:55.573 Disk 1 Vendor: RICOH 01 Size: 238475MB BusType: 0
20:46:55.589 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000064
20:46:55.589 Disk 2 Vendor: RICOH 02 Size: 238475MB BusType: 0
20:46:55.604 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskFUJITSU_MHZ2250BH_G1____________________00410009#4&343231c1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
20:46:55.620 Disk 0 MBR read successfully
20:46:55.620 Disk 0 MBR scan
20:46:55.620 Disk 0 TDL4@MBR code has been found
20:46:55.620 Disk 0 MBR hidden
20:46:55.620 Disk 0 MBR [TDL4] **ROOTKIT**
20:46:55.635 Disk 0 trace - called modules:
20:46:55.635 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86ce4439]<<
20:46:55.635 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8674aac8]
20:46:55.651 3 CLASSPNP.SYS[8a1ab8b3] -> nt!IofCallDriver -> [0x859ae288]
20:46:55.651 5 acpi.sys[806896bc] -> nt!IofCallDriver -> [0x859f3028]
20:46:55.651 \Driver\iaStor[0x86b56188] -> IRP_MJ_CREATE -> 0x86ce4439
20:46:55.667 Scan finished successfully
Step 2:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x8DC0F000 C:\Windows\system32\DRIVERS\igdkmd32.sys 7221248 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x81E1B000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
0x81E1B000 PnpManager 3907584 bytes
0x81E1B000 RAW 3907584 bytes
0x81E1B000 WMIxWDM 3907584 bytes
0x8E800000 C:\Windows\system32\DRIVERS\NETw5v32.sys 3702784 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x8F802000 C:\Windows\system32\drivers\RTKVHDA.sys 2146304 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0x97E20000 Win32k 2109440 bytes
0x97E20000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8A00E000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x8260B000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8FA9D000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)
0x89E02000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x804D5000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xAF2CB000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x90C0C000 C:\Windows\System32\Drivers\dump_iaStor.sys 843776 bytes
0x8240C000 C:\Windows\system32\DRIVERS\iaStor.sys 843776 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0x8FC0D000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 737280 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x90D0E000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8E2F2000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8E605000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x82535000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x80602000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x8040B000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x89F52000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8E692000 C:\Windows\system32\DRIVERS\yk60x86.sys 323584 bytes (Marvell, Miniport Driver for Marvell Yukon Ethernet Controller.)
0xAF24F000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x8072A000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8FD61000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80681000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80494000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8E76C000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8E3A9000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8FA60000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x8FBB3000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x82741000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x805B5000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8A11E000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x825A6000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x821D5000 ACPI_HAL 208896 bytes
0x821D5000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x824DA000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8FDA9000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8E73D000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x8FA0E000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x82716000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8E6E1000 C:\Windows\system32\DRIVERS\SynTP.sys 176128 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x827B5000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x90DCE000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0xAF227000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8A16E000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x806D8000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8FA3B000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x89FD5000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8A1A6000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x807BA000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x89F1E000 C:\Windows\System32\Drivers\usbvideo.sys 135168 bytes (Microsoft Corporation, USB Video Class Driver)
0x8FCE4000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x807DB000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x80784000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x89EEC000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x90CF3000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8EBB7000 C:\Windows\system32\DRIVERS\rimsptsk.sys 106496 bytes (REDC, RICOH MS Driver)
0x807A1000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8E70C000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xAF20F000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x825DB000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8E7CD000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x89F07000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xAF29D000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8FDDB000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x8FD37000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x89FBF000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x82790000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0xAF3C1000 C:\Windows\system32\DRIVERS\WUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x8277C000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8FD4D000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8EBD1000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x89F3F000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8FBA0000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xAF2B5000 C:\Windows\system32\DRIVERS\ipfltdrv.sys 73728 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xAF3D6000 C:\Windows\system32\DRIVERS\WUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x8A195000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x827DF000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8047B000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8EBA6000 C:\Windows\system32\DRIVERS\risdptsk.sys 69632 bytes (REDC, RICOH SD/MMC Driver)
0x8250C000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x90DBE000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x80774000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8EB88000 C:\Windows\system32\DRIVERS\ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x827A5000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x8E72A000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x8251C000 C:\Windows\system32\DRIVERS\Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0x90CE4000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8A15F000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x806FF000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8E7EF000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8E3E7000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8071B000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x8EB98000 C:\Windows\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0x98060000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8FDF1000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8FD20000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x80673000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x8A000000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8E7C0000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8A1F1000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0xAF3B5000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8FCD8000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8E392000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8EBE4000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8EBF1000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8FD15000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8E7E4000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8E7AD000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8A1DD000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8E39E000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x80711000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x90CDA000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8DC00000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x90C00000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8FC00000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x8252B000 C:\Windows\System32\Drivers\PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xAF3AB000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8FBEF000 C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys 36864 bytes (ArcSoft, Inc., -)
0xAF3F0000 C:\Users\Maria\AppData\Local\Temp\aswMBR.sys 36864 bytes
0x8A1C7000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8FCC1000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0xAF200000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x8FD2E000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x98040000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8A1E8000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x806C7000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8048C000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x806D0000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8FD05000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8FD0D000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8E7B8000 C:\Windows\System32\Drivers\RootMdm.sys 32768 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0x8A157000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0xAF3E8000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x8FCD1000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x8FCCA000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8E3F6000 C:\Windows\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0x8E724000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x8E739000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xAF2C7000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x8070E000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x87046000 C:\Windows\system32\kdcom.dll 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8EBFC000 C:\Windows\system32\DRIVERS\SFEP.sys 12288 bytes (Sony Corporation, Sony Firmware Extension Parser driver)
0xAF3A9000 C:\Windows\system32\drivers\regi.sys 8192 bytes (InterVideo, regi driver)
0x8E7FE000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8EBEF000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x8FC0A000 C:\Windows\system32\DRIVERS\DMICall.sys 4096 bytes (Sony Corporation, Windows 2000 DMI Call Kernel Driver)
==============================================
>Stealth
==============================================
0x00F10000 Hidden Image-->unknown_code_page [ EPROCESS 0x891D6D90 ] PID: 1192, 4096 bytes
0x06990000 Hidden Image-->ChilkatDotNet2.dll [ EPROCESS 0x897B2900 ] PID: 4940, 4415488 bytes
0x01850000 Hidden Image-->SPMDrv.dll [ EPROCESS 0x850094A0 ] PID: 5524, 45056 bytes
0x04900000 Hidden Image-->msvcm80.dll [ EPROCESS 0x897B2900 ] PID: 4940, 507904 bytes
0x00900000 Hidden Image-->SPMDam.dll [ EPROCESS 0x850A4D90 ] PID: 5048, 53248 bytes
0x01840000 Hidden Image-->SPMDam.dll [ EPROCESS 0x850094A0 ] PID: 5524, 53248 bytes
0x03F00000 Hidden Image-->analyzer.dll [ EPROCESS 0x897B2900 ] PID: 4940, 69632 bytes
0x00C20000 Hidden Image-->SPMCommon.dll [ EPROCESS 0x850A4D90 ] PID: 5048, 94208 bytes
0x00C00000 Hidden Image-->SPMCommon.dll [ EPROCESS 0x850094A0 ] PID: 5524, 94208 bytes
Step 3:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Sony Corporation
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Sony Corporation
System Product Name: VGN-NS240D
Logical Drives Mask: 0x0000003c
Kernel Drivers (total 149):
0x81E1B000 \SystemRoot\system32\ntkrnlpa.exe
0x821D5000 \SystemRoot\system32\hal.dll
0x87046000 \SystemRoot\system32\kdcom.dll
0x8040B000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8047B000 \SystemRoot\system32\PSHED.dll
0x8048C000 \SystemRoot\system32\BOOTVID.dll
0x80494000 \SystemRoot\system32\CLFS.SYS
0x804D5000 \SystemRoot\system32\CI.dll
0x80602000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80673000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80681000 \SystemRoot\system32\drivers\acpi.sys
0x806C7000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806D0000 \SystemRoot\system32\drivers\msisadrv.sys
0x806D8000 \SystemRoot\system32\drivers\pci.sys
0x806FF000 \SystemRoot\System32\drivers\partmgr.sys
0x8070E000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80711000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8071B000 \SystemRoot\system32\drivers\volmgr.sys
0x8072A000 \SystemRoot\System32\drivers\volmgrx.sys
0x80774000 \SystemRoot\System32\drivers\mountmgr.sys
0x8240C000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x824DA000 \SystemRoot\system32\drivers\fltmgr.sys
0x8250C000 \SystemRoot\system32\drivers\fileinfo.sys
0x8251C000 \SystemRoot\system32\DRIVERS\Lbd.sys
0x8252B000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x82535000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8260B000 \SystemRoot\system32\drivers\ndis.sys
0x82716000 \SystemRoot\system32\drivers\msrpc.sys
0x82741000 \SystemRoot\system32\drivers\NETIO.SYS
0x89E02000 \SystemRoot\System32\drivers\tcpip.sys
0x89EEC000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A00E000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A11E000 \SystemRoot\system32\drivers\volsnap.sys
0x8A157000 \SystemRoot\System32\Drivers\spldr.sys
0x8A15F000 \SystemRoot\System32\Drivers\mup.sys
0x8A16E000 \SystemRoot\System32\drivers\ecache.sys
0x8A195000 \SystemRoot\system32\drivers\disk.sys
0x8A1A6000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A1C7000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A1DD000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A1E8000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8DC0F000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8E2F2000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8E392000 \SystemRoot\System32\drivers\watchdog.sys
0x8E39E000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8E3A9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8E3E7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8E605000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8E692000 \SystemRoot\system32\DRIVERS\yk60x86.sys
0x8E800000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
0x8EB88000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8EB98000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8EBA6000 \SystemRoot\system32\DRIVERS\risdptsk.sys
0x8EBB7000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x8EBD1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8EBE4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8E6E1000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8EBEF000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8EBF1000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8EBFC000 \SystemRoot\system32\DRIVERS\SFEP.sys
0x8E70C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8E724000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8E72A000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8E739000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8E73D000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8E76C000 \SystemRoot\system32\DRIVERS\storport.sys
0x8E7AD000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8E7B8000 \SystemRoot\System32\Drivers\RootMdm.sys
0x8E7C0000 \SystemRoot\system32\drivers\modem.sys
0x8E7CD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8E7E4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x89FD5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8E7EF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8277C000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x82790000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8E3F6000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0x827A5000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8E7FE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x827B5000 \SystemRoot\system32\DRIVERS\ks.sys
0x8DC00000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8A1F1000 \SystemRoot\system32\DRIVERS\umbus.sys
0x825A6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x827DF000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8F802000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8FA0E000 \SystemRoot\system32\drivers\portcls.sys
0x8FA3B000 \SystemRoot\system32\drivers\drmk.sys
0x8FA60000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x8FA9D000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x8FC0D000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8FCC1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8FCCA000 \SystemRoot\System32\Drivers\Null.SYS
0x8FCD1000 \SystemRoot\System32\Drivers\Beep.SYS
0x8FCD8000 \SystemRoot\System32\drivers\vga.sys
0x8FCE4000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8FD05000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8FD0D000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8FD15000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8FD20000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8FD2E000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8FD37000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8FD4D000 \SystemRoot\system32\DRIVERS\smb.sys
0x8FD61000 \SystemRoot\system32\drivers\afd.sys
0x8FDA9000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8FDDB000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8FDF1000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8FBA0000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8FBB3000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8FC00000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8FC0A000 \SystemRoot\system32\DRIVERS\DMICall.sys
0x825DB000 \SystemRoot\System32\Drivers\dfsc.sys
0x89F07000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x89F1E000 \SystemRoot\System32\Drivers\usbvideo.sys
0x8FBEF000 \SystemRoot\system32\DRIVERS\ArcSoftKsUFilter.sys
0x8A000000 \SystemRoot\System32\Drivers\crashdmp.sys
0x90C0C000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x97E20000 \SystemRoot\System32\win32k.sys
0x90CDA000 \SystemRoot\System32\drivers\Dxapi.sys
0x90CE4000 \SystemRoot\system32\DRIVERS\monitor.sys
0x98040000 \SystemRoot\System32\TSDDD.dll
0x98060000 \SystemRoot\System32\cdd.dll
0x90CF3000 \SystemRoot\system32\drivers\luafv.sys
0x90D0E000 \SystemRoot\system32\drivers\spsys.sys
0x90DBE000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x90DCE000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x90C00000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x89F3F000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x89F52000 \SystemRoot\system32\drivers\HTTP.sys
0x80784000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x807A1000 \SystemRoot\system32\DRIVERS\bowser.sys
0x89FBF000 \SystemRoot\System32\drivers\mpsdrv.sys
0x807BA000 \SystemRoot\system32\drivers\mrxdav.sys
0x807DB000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x805B5000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAF20F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAF227000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAF24F000 \SystemRoot\System32\DRIVERS\srv.sys
0xAF2B5000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xAF2C7000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAF2CB000 \SystemRoot\system32\drivers\peauth.sys
0xAF3A9000 \SystemRoot\system32\drivers\regi.sys
0xAF3AB000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAF3B5000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAF3C1000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xAF3D6000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0xAF3E8000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xAF29D000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xAF3F0000 \??\C:\Users\Maria\AppData\Local\Temp\aswMBR.sys
0xAF200000 \SystemRoot\System32\Drivers\Normandy.SYS
0x776A0000 \Windows\System32\ntdll.dll
Processes (total 90):
0 System Idle Process
4 System
548 C:\Windows\System32\smss.exe
628 csrss.exe
672 C:\Windows\System32\wininit.exe
680 csrss.exe
716 C:\Windows\System32\services.exe
728 C:\Windows\System32\lsass.exe
736 C:\Windows\System32\lsm.exe
764 C:\Windows\System32\winlogon.exe
924 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\svchost.exe
1020 C:\Windows\System32\svchost.exe
1108 C:\Windows\System32\svchost.exe
1164 C:\Windows\System32\svchost.exe
1192 C:\Windows\System32\svchost.exe
1300 C:\Windows\System32\audiodg.exe
1372 C:\Windows\System32\svchost.exe
1400 C:\Windows\System32\SLsvc.exe
1452 C:\Windows\System32\svchost.exe
1552 C:\Windows\RTKAUDIOSERVICE.EXE
1608 C:\Windows\System32\svchost.exe
1716 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1724 C:\Windows\System32\wlanext.exe
1920 C:\Windows\System32\spoolsv.exe
1976 C:\Windows\System32\svchost.exe
584 C:\Windows\System32\taskeng.exe
1068 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1512 C:\Program Files\Bonjour\mDNSResponder.exe
1416 C:\Windows\System32\dwm.exe
1468 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
2056 C:\Windows\explorer.exe
2100 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
2316 C:\Windows\System32\svchost.exe
2408 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
2440 C:\Program Files\Sony\VAIO Care\collsvc.exe
2472 C:\Windows\System32\svchost.exe
2576 C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
2600 C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
2616 C:\Program Files\Windows Defender\MSASCui.exe
2636 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2656 C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
2672 C:\Program Files\Java\jre1.6.0\bin\jusched.exe
2696 C:\Windows\System32\hkcmd.exe
2704 C:\Windows\System32\igfxpers.exe
2724 C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe
2740 C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
2756 C:\Program Files\Sony\ISB Utility\ISBMgr.exe
2796 C:\Program Files\iTunes\iTunesHelper.exe
2804 C:\Program Files\Windows Sidebar\sidebar.exe
2824 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2840 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2880 C:\Windows\System32\svchost.exe
2960 dllhost.exe
2976 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
2992 C:\Program Files\Sony\VAIO Care\listener.exe
3048 C:\Windows\System32\SearchIndexer.exe
3056 C:\Windows\System32\taskeng.exe
3128 C:\Windows\System32\mobsync.exe
3144 C:\Windows\System32\drivers\XAudio.exe
3176 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
3188 WUDFHost.exe
3276 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
3452 C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
3576 C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
3688 unsecapp.exe
3740 WmiPrvSE.exe
3932 C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
2468 dllhost.exe
2732 C:\Windows\System32\igfxsrvc.exe
3516 igfxext.exe
4352 igfxsrvc.exe
4564 C:\Program Files\iPod\bin\iPodService.exe
4940 C:\Program Files\Sony\VAIO Care\VCsystray.exe
5920 C:\Program Files\Windows Media Player\wmpnscfg.exe
5992 C:\Program Files\Windows Media Player\wmpnetwk.exe
4972 C:\Windows\System32\taskeng.exe
2372 C:\Program Files\Mozilla Firefox\firefox.exe
4932 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
5212 C:\Windows\System32\svchost.exe
5048 C:\Program Files\Sony\VAIO Power Management\SPMService.exe
5524 C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
5600 C:\Users\Maria\Downloads\aswMBR.exe
5236 RKUnhookerLE.EXE
2492 C:\Windows\System32\SearchProtocolHost.exe
4044 C:\Windows\System32\SearchFilterHost.exe
332 dllhost.exe
4164 dllhost.exe
5896 C:\Users\Maria\Downloads\MBRCheck.exe
5848 C:\Windows\System32\conime.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`21e00000 (NTFS)
PhysicalDrive0 Model Number: FUJITSUMHZ2250BHG1, Rev: 00410009
Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
Done!
Blottedisk
2011-03-23, 14:59
Hi,
Thanks for the logs. Unfortunately your computer appears to have been infected by a backdoor infection. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the
system partition and reinstalling Windows as this is the only 100% sure answer.You should not be following fixes in another threads as
those fixes are specifically for those computers.
Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451 )
When Should I Format, How Should I Reinstall? (http://www.dslreports.com/faq/10063 )
Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:
Please follow these steps in order:
Step 1 | Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.
http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix.png)
Click the image to enlarge it
Step 2 | This next program is needed to remove the remaining malware entries I see. However...AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the remaining infection.
After uninstalling AVG from the Control Panel, also run the AVG remover from their site.
http://www.avg.com/us-en/download-tools
direct link to the AVG Remover:
http://download.avg.com/filedir/util..._2011_1149.exe
You may also use this tool to uninstall AVG:
http://www.appremover.com/appremover/avg/AppRemover.exe
Instructions:
http://www.appremover.com/about/using-appremover.html
Please download Combofix from either of the links below but rename it to rain.exe before saving it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html )
--------------------------------------------------------------------
Right-click and choose "Run as administrator" on the renamed Combofix.exe & follow the prompts. When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )
I would like to try and clean up my pc. Thanks for your help so far.
Step 1: After completing step 1 and rebooting my computer, everytime my pc tried to turn on it would crash. In order to post my results on this webpage I have been running my pc using safemode with networking. I would like to know if this is common when cleaning up a pc? I will finish all of the steps in safemode with networking, please let me know if using safemode with networking will not be accurate enough.
Results from step 1:
version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-23 19:20:26
-----------------------------
19:20:26.973 OS Version: Windows 6.0.6002 Service Pack 2
19:20:26.973 Number of processors: 2 586 0x170A
19:20:26.975 ComputerName: MARIA-LAPTOP UserName: Maria
19:20:28.990 Initialize success
19:20:31.706 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
19:20:31.709 Disk 0 Vendor: FUJITSU_ 0041 Size: 238475MB BusType: 3
19:20:31.712 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000063
19:20:31.715 Disk 1 Vendor: RICOH 01 Size: 238475MB BusType: 0
19:20:31.720 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000064
19:20:31.724 Disk 2 Vendor: RICOH 02 Size: 238475MB BusType: 0
19:20:31.728 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskFUJITSU_MHZ2250BH_G1____________________00410009#4&343231c1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
19:20:31.757 Disk 0 MBR read successfully
19:20:31.762 Disk 0 MBR scan
19:20:31.767 Disk 0 TDL4@MBR code has been found
19:20:31.773 Disk 0 MBR hidden
19:20:31.778 Disk 0 MBR [TDL4] **ROOTKIT**
19:20:31.785 Disk 0 trace - called modules:
19:20:31.792 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86cdb439]<<
19:20:31.801 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8663e550]
19:20:31.809 3 CLASSPNP.SYS[8a1a98b3] -> nt!IofCallDriver -> [0x85431208]
19:20:31.816 5 acpi.sys[806906bc] -> nt!IofCallDriver -> [0x85491028]
19:20:31.825 \Driver\iaStor[0x86844870] -> IRP_MJ_CREATE -> 0x86cdb439
19:20:31.832 Scan finished successfully
19:20:52.954 Disk 0 fixing MBR
19:21:02.962 Disk 0 MBR restored successfully
19:21:02.970 Infection fixed successfully - please reboot ASAP
Step 2: This process was not easy, removing avg went fine but when trying to open rain exe. it kept telling me my lavasoft adaware programs were not diabled even though I disabled them prior to running the program. It also never prompt me to install windows recovery however that could be due to already having it installed on my pc but I'm not sure.
Step 2 results:
ComboFix 11-03-23.03 - Maria 23/03/2011 20:02:02.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2938.2108 [GMT -5:00]
Running from: c:\users\Maria\Downloads\rain.exe.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
C:\rain.exe
c:\rain.exe\023.dat
c:\rain.exe\023v.dat
c:\rain.exe\023w7.dat
c:\rain.exe\AppDataFile.cfx
c:\rain.exe\AppDataFolder.cfx
c:\rain.exe\appinit.bad
c:\rain.exe\asp.str
c:\rain.exe\Assoc.cmd
c:\rain.exe\ATTRIB.cfxxe
c:\rain.exe\Auto-RC.cmd
c:\rain.exe\av.cmd
c:\rain.exe\av.vbs
c:\rain.exe\AWF.cmd
c:\rain.exe\badclsid.c
c:\rain.exe\Boot-Rk.cmd
c:\rain.exe\Boot.bat
c:\rain.exe\BootDrv.vbs
c:\rain.exe\c.bat
c:\rain.exe\c.mrk
c:\rain.exe\Catch-sub.cmd
c:\rain.exe\catchme.cfxxe
c:\rain.exe\CCS.bat
c:\rain.exe\CF-Script.cmd
c:\rain.exe\CF11923.cfxxe
c:\rain.exe\CFVersionOld
c:\rain.exe\CHCP.bat
c:\rain.exe\clsid.c
c:\rain.exe\cmd.cfxxe
c:\rain.exe\Combobatch.bat
c:\rain.exe\ComboFix-Download.cfxxe
c:\rain.exe\Create.cmd
c:\rain.exe\Creg.dat
c:\rain.exe\CregC.cmd
c:\rain.exe\CregC.dat
c:\rain.exe\CSCRIPT.cfxxe
c:\rain.exe\CSet.cmd
c:\rain.exe\dd.cfxxe
c:\rain.exe\ddsDo.sed
c:\rain.exe\DelClsid.bat
c:\rain.exe\DelClsid64.bat
c:\rain.exe\desktop.ini
c:\rain.exe\DesktopFile.cfx
c:\rain.exe\DisclaimED.dat
c:\rain.exe\DPF.str
c:\rain.exe\DrvRun.vbs
c:\rain.exe\dumphive.cfxxe
c:\rain.exe\embedded.sed
c:\rain.exe\en-CA\ATTRIB.cfxxe.mui
c:\rain.exe\en-CA\CF11923.cfxxe.mui
c:\rain.exe\en-CA\CMD.cfxxe.mui
c:\rain.exe\en-CA\CSCRIPT.cfxxe.mui
c:\rain.exe\en-CA\PING.cfxxe.mui
c:\rain.exe\en-CA\REGT.cfxxe.mui
c:\rain.exe\en-CA\ROUTE.cfxxe.mui
c:\rain.exe\en-US\ATTRIB.cfxxe.mui
c:\rain.exe\en-US\CF11923.cfxxe.mui
c:\rain.exe\en-US\cmd.cfxxe.mui
c:\rain.exe\en-US\CSCRIPT.cfxxe.mui
c:\rain.exe\en-US\PING.cfxxe.mui
c:\rain.exe\en-US\REGT.cfxxe.mui
c:\rain.exe\en-US\ROUTE.cfxxe.mui
c:\rain.exe\ERDNT.e_e
c:\rain.exe\ERDNTDOS.LOC
c:\rain.exe\ERDNTWIN.LOC
c:\rain.exe\ERUNT.cfxxe
c:\rain.exe\erunt.dat
c:\rain.exe\ERUNT.LOC
c:\rain.exe\Exe.reg
c:\rain.exe\extract.cfxxe
c:\rain.exe\FavoriteFolder.cfx
c:\rain.exe\FavoritesFile.cfx
c:\rain.exe\FD-SV.cmd
c:\rain.exe\ffdefstr.dll
c:\rain.exe\FileKill.cfxxe
c:\rain.exe\files.pif
c:\rain.exe\Fin.dat
c:\rain.exe\FIND3M.bat
c:\rain.exe\FIXLSP.bat
c:\rain.exe\FKMGen.cmd
c:\rain.exe\ForeignWht
c:\rain.exe\GetHive.cmd
c:\rain.exe\grep.cfxxe
c:\rain.exe\gsar.cfxxe
c:\rain.exe\handle.cfxxe
c:\rain.exe\hidec.exe
c:\rain.exe\history.bat
c:\rain.exe\hwid.pif
c:\rain.exe\iexplore.exe
c:\rain.exe\image001.gif
c:\rain.exe\Imefile.dat
c:\rain.exe\Install-RC.cmd
c:\rain.exe\katch.cmd
c:\rain.exe\Kill-All.cmd
c:\rain.exe\kmd.dat
c:\rain.exe\Lang.bat
c:\rain.exe\List-B.bat
c:\rain.exe\List-C.bat
c:\rain.exe\List-D.bat
c:\rain.exe\List.bat
c:\rain.exe\lnkread.vbs
c:\rain.exe\LocalAppDataFile.cfx
c:\rain.exe\LocalAppDataFolder.cfx
c:\rain.exe\LocalService.dat
c:\rain.exe\LocalServiceNetworkRestricted.dat
c:\rain.exe\LocalSettingsFile.cfx
c:\rain.exe\LocalSystemNetworkRestricted.dat
c:\rain.exe\mbr.cfxxe
c:\rain.exe\mbr.chk
c:\rain.exe\md5sum.pif
c:\rain.exe\Mirrors
c:\rain.exe\MoveIt.bat
c:\rain.exe\mtee.cfxxe
c:\rain.exe\MtPt00
c:\rain.exe\MUI
c:\rain.exe\mynul.dat
c:\rain.exe\N_\1010
c:\rain.exe\N_\10573
c:\rain.exe\N_\1223
c:\rain.exe\N_\1301
c:\rain.exe\N_\13901
c:\rain.exe\N_\14191
c:\rain.exe\N_\17633
c:\rain.exe\N_\17837
c:\rain.exe\N_\19434
c:\rain.exe\N_\21740
c:\rain.exe\N_\24000
c:\rain.exe\N_\28720
c:\rain.exe\N_\29125
c:\rain.exe\N_\29535
c:\rain.exe\N_\30674
c:\rain.exe\N_\4480
c:\rain.exe\N_\4491
c:\rain.exe\N_\9282
c:\rain.exe\N_\pingtest
c:\rain.exe\ncmd.com
c:\rain.exe\ND_.bat
c:\rain.exe\ndis_combofix.dat
c:\rain.exe\netsvc.bad.dat
c:\rain.exe\netsvc.dat
c:\rain.exe\netsvc.vista.dat
c:\rain.exe\netsvc.xp.dat
c:\rain.exe\NetworkService.dat
c:\rain.exe\NewCFUser
c:\rain.exe\NirCmd.cfxxe
c:\rain.exe\NircmdB.exe
c:\rain.exe\NirCmdC.cfxxe
c:\rain.exe\NIRKMD.cfxxe
c:\rain.exe\NlsLanguageDefault
c:\rain.exe\NT-OS.cmd
c:\rain.exe\NULL
c:\rain.exe\OSid.vbs
c:\rain.exe\OsVer
c:\rain.exe\pausep.cfxxe
c:\rain.exe\PersonalFile.cfx
c:\rain.exe\PersonalFolder.cfx
c:\rain.exe\PEV.cfxxe
c:\rain.exe\pev.exe
c:\rain.exe\pevb.cfxxe
c:\rain.exe\PING.cfxxe
c:\rain.exe\Policies.dat
c:\rain.exe\powp.dat
c:\rain.exe\Prep.inf
c:\rain.exe\ProfilesFile.cfx
c:\rain.exe\ProfilesFolder.cfx
c:\rain.exe\ProgramsFile.cfx
c:\rain.exe\ProgramsFolder.cfx
c:\rain.exe\Purity.dat
c:\rain.exe\PV.cfxxe
c:\rain.exe\pv.com
c:\rain.exe\RCLink.dat
c:\rain.exe\REGDACL.sed
c:\rain.exe\RegDo.sed
c:\rain.exe\region.dat
c:\rain.exe\RegScan.cmd
c:\rain.exe\RegScan64.cmd
c:\rain.exe\Resident.txt
c:\rain.exe\restore_pt.vbs
c:\rain.exe\Rkey.cmd
c:\rain.exe\rmbr.cfxxe
c:\rain.exe\rogues.dat
c:\rain.exe\ROUTE.cfxxe
c:\rain.exe\run2.sed
c:\rain.exe\Rust.str
c:\rain.exe\s0rt.cfxxe
c:\rain.exe\safeboot.dat
c:\rain.exe\safeboot.def.dat
c:\rain.exe\safeboot.def.vista.dat
c:\rain.exe\Safeboot.def.w7.dat
c:\rain.exe\sed.cfxxe
c:\rain.exe\SetEnvmt.bat
c:\rain.exe\setpath.cfxxe
c:\rain.exe\SF.exe
c:\rain.exe\sfx.cmd
c:\rain.exe\SnapShot.cmd
c:\rain.exe\SRestore.cmd
c:\rain.exe\srizbi.md5
c:\rain.exe\Start_dat
c:\rain.exe\StartMenuFile.cfx
c:\rain.exe\StartMenuFolder.cfx
c:\rain.exe\StartUpFile.cfx
c:\rain.exe\SuppScan.cmd
c:\rain.exe\svc_wht.dat
c:\rain.exe\SvcDrv.vbs
c:\rain.exe\svchost.dat
c:\rain.exe\svchost.vista.dat
c:\rain.exe\svchost.vista.x64.dat
c:\rain.exe\svchost.w7.dat
c:\rain.exe\svchost.w7.x64.dat
c:\rain.exe\SWREG.cfxxe
c:\rain.exe\swreg.exe
c:\rain.exe\swsc.cfxxe
c:\rain.exe\swxcacls.cfxxe
c:\rain.exe\system_ini.dat
c:\rain.exe\tail.cfxxe
c:\rain.exe\TemplatesFile.cfx
c:\rain.exe\TemplatesFolder.cfx
c:\rain.exe\toolbar.sed
c:\rain.exe\Update-CF.cmd
c:\rain.exe\VerCF.bat
c:\rain.exe\version.txt
c:\rain.exe\VInfo
c:\rain.exe\VInfo2
c:\rain.exe\Vipev.dat
c:\rain.exe\Vista.krl
c:\rain.exe\Vista.mac
c:\rain.exe\vistaMcode.dat
c:\rain.exe\vistareg.dat
c:\rain.exe\vun.dat
c:\rain.exe\VwinTemp.dacl
c:\rain.exe\w_sock.dll
c:\rain.exe\w2k_sock.dll
c:\rain.exe\w2kreg.dat
c:\rain.exe\w7Mcode.dat
c:\rain.exe\w7reg.dat
c:\rain.exe\Wmi_rem.vbs
c:\rain.exe\xpmcode.dat
c:\rain.exe\xpreg.dat
c:\rain.exe\XPSBoot.reg
c:\rain.exe\zDomain.dat
c:\rain.exe\zhsvc.dat
c:\rain.exe\zip.cfxxe
G:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-24 to 2011-03-24 )))))))))))))))))))))))))))))))
.
.
2011-03-24 01:06 . 2011-03-24 01:06 -------- d-----w- c:\users\Maria\AppData\Local\temp
2011-03-24 01:06 . 2011-03-24 01:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-22 04:21 . 2011-03-22 04:21 -------- d-----w- c:\program files\ERUNT
2011-03-20 18:50 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-03-20 18:50 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-03-20 18:48 . 2011-03-20 18:49 -------- d-----w- c:\users\Maria\AppData\Roaming\Research In Motion
2011-03-20 18:48 . 2011-03-20 18:48 -------- d-----w- c:\users\Maria\AppData\Local\Research In Motion
2011-03-20 18:48 . 2009-01-09 22:18 27136 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2011-03-20 18:47 . 2011-03-20 18:47 -------- d-----w- c:\programdata\Research In Motion
2011-03-20 18:47 . 2011-03-20 18:47 -------- d-----w- c:\program files\Common Files\Research In Motion
2011-03-20 18:47 . 2011-03-20 18:47 -------- d-----w- c:\program files\Research In Motion
2011-03-18 02:29 . 2011-03-18 02:29 -------- d-----w- c:\users\Maria\AppData\Roaming\Malwarebytes
2011-03-18 02:29 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-18 02:29 . 2011-03-18 02:29 -------- d-----w- c:\programdata\Malwarebytes
2011-03-18 02:29 . 2011-03-18 02:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-18 02:29 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-14 00:14 . 2011-03-14 00:14 -------- d-----w- c:\users\Maria\AppData\Local\Kobo
2011-03-14 00:13 . 2011-03-14 00:14 -------- d-----w- c:\program files\Kobo
2011-03-13 21:57 . 2011-03-13 21:57 -------- d-----w- c:\users\Maria\AppData\Roaming\Auslogics
2011-03-13 21:33 . 2011-03-09 07:47 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-13 21:33 . 2011-03-13 21:33 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-13 21:27 . 2011-03-13 21:27 -------- dc-h--w- c:\programdata\{78A29A4D-35CE-4C46-9AC9-2692EE35F0BE}
2011-03-13 21:11 . 2011-03-13 21:11 6260088 ----a-w- c:\program files\Common Files\Windows Live\.cache\2dcf0f401cbe1c307\Silverlight.4.0.exe
2011-03-13 21:07 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0476E877-B84C-493E-9467-5CB7276F15F3}\mpengine.dll
2011-03-09 20:30 . 2011-03-09 20:30 -------- d--h--w- c:\programdata\Common Files
2011-03-09 20:28 . 2011-03-24 00:42 -------- d-----w- c:\programdata\AVG10
2011-03-09 20:02 . 2011-03-09 20:08 -------- d-----w- c:\programdata\MFAData
2011-03-07 03:26 . 2011-03-07 03:26 -------- d-----w- c:\programdata\WindowsSearch
2011-03-07 00:44 . 2011-03-13 21:13 -------- d-----w- c:\program files\Microsoft Silverlight
2011-03-07 00:42 . 2011-03-13 21:42 -------- d-----w- c:\users\Maria\AppData\Local\Windows Live
2011-03-07 00:39 . 2011-03-07 00:39 -------- d-----w- c:\users\Maria\AppData\Local\Sunbelt Software
2011-03-07 00:38 . 2011-03-07 00:38 -------- dc-h--w- c:\programdata\{A5847AFF-A1FE-4929-A3C0-16C23AB1D29D}
2011-03-07 00:11 . 2011-03-07 00:11 -------- d-----w- c:\program files\iPod(264)
2011-03-07 00:11 . 2011-03-07 00:12 -------- d-----w- c:\program files\iTunes(265)
2011-03-07 00:08 . 2011-03-07 00:08 -------- d-----w- c:\program files\Bonjour(40)
2011-03-07 00:05 . 2011-03-07 00:05 -------- d-----w- c:\program files\QuickTime(308)
2011-02-23 04:24 . 2011-03-06 22:51 -------- d-----w- c:\users\Maria\AppData\Roaming\FrostWire
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 21:36 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-09 07:47 . 2009-08-02 00:35 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-20 16:37 . 2011-02-15 03:48 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-15 03:48 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-15 03:48 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-15 03:48 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-15 03:48 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-15 03:48 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-15 03:48 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-15 03:48 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-15 03:48 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-15 03:48 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-15 03:48 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-15 03:48 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-15 03:48 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-15 03:48 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-15 03:48 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-15 03:48 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-15 03:48 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-15 03:48 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-02-15 03:48 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-15 03:48 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-15 03:48 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-15 03:48 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-15 03:48 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-15 03:48 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-15 03:48 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-15 03:48 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-02-15 03:48 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-02-15 03:48 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-02-15 03:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-15 03:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-15 03:48 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55 . 2011-01-12 05:15 413696 ----a-w- c:\windows\system32\odbc32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-15 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-10-17 6295552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-10 835584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-10-29 77824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-22 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-22 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-22 145944]
"VAIOSurvey"="c:\program files\Sony\VAIO Survey\VAIO Sat Survey.exe" [2008-07-25 385024]
"VWLASU"="c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe" [2008-05-20 24576]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-04-04 317280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-10-18 02:19 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2239373417-2263017947-370445778-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
R2 RtkAudioService;Realtek Audio Service;c:\windows\RtkAudioService.exe [2008-10-17 104992]
R2 SampleCollector;Intel(R) Sample Collector;c:\program files\Sony\VAIO Care\collsvc.exe [2008-09-30 122880]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
R2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2008-10-18 415584]
R2 VCFw;VAIO Content Folder Watcher;c:\program files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2008-09-04 446464]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2008-04-24 17920]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-03-09 15232]
R3 Partner Service;Partner Service;c:\programdata\Partner\partner.exe [2008-11-15 110576]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-10-21 103712]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-10-21 353568]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-10-21 62752]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-06-12 337184]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-06-12 83232]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-03-09 64512]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-03-08 1405384]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-29 3664384]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2008-08-22 9344]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-09 07:47]
.
2011-03-24 c:\windows\Tasks\User_Feed_Synchronization-{26D0D1EB-5C1D-4512-B90B-91CDF40D6288}.job
- c:\windows\system32\msfeedssync.exe [2011-02-15 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Maria\AppData\Roaming\Mozilla\Firefox\Profiles\yq9jh8vz.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-Unattend0000000001{09E44ACC-0BA1-40AD-B317-633F3BA72823} - %PROGRAMFILES%\Sony\First Experience\VAIOWelcome.exe
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 20:06
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-23 20:07:36
ComboFix-quarantined-files.txt 2011-03-24 01:07
.
Pre-Run: 173,091,516,416 bytes free
Post-Run: 173,152,370,688 bytes free
.
- - End Of File - - C7F2BBB38F303018C442E0F40E6A1369
Blottedisk
2011-03-24, 15:01
Hi mmunoz,
Are you still unable to access normal mode? If so, please do the following in safe mode with networking:
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
--------------------------------------------------------------------
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:dir
%Userprofile%\Desktop /n*.dat /nodirs
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Unfortunately I am still unable to access normal mode. Every time I try to turn it on the system crashes (blue screen and shuts down) and restarts itself only to crash again until I enter safe mode with networking.
Here is the log requested:
SystemLook 04.09.10 by jpshortstuff
Log created at 18:28 on 24/03/2011 by Maria
Administrator - Elevation successful
========== dir ==========
C:\Users\Maria\Desktop - Parameters: "/n*.dat /nodirs"
---Files---
None found.
-= EOF =-
Blottedisk
2011-03-25, 21:02
Hi mmunoz,
Let's try to restore your system to a previous point (one before aswMBR was run). Please follow the instructions given in the following tutorial to do so:
http://www.bleepingcomputer.com/tutorials/tutorial143.html#restore
You should choose a restore point that was created before 2011-03-23 at 19:20:26.
I tried to restore my pc with system restore, however upon trying to open the program system restore, it will not open and a window pops up with the following message:
To perform an offline system restore, you must specify which Windows installation you would like to restore.
For example, if the installation located in "C:\Windows" should be restored, enter the following command:
rstrui.exe/OFFLINE:C:\Windows
I wonder if I am having problems opening system restore due to the fact that I am doing it in safemode with networking? I have tried opening my computer in normal mode but it just repeatedly crashes so normal mode is unfortunately not an option.
Blottedisk
2011-03-28, 04:44
Yes, that's the reason for this message. But let's go a different, more interface friendly way. This will also remove any issues running system restore inside the operative system.
Do you have your Vista DVD around? Please follow the steps given in the following tutorial to use System Restore not from the Operative System itself, but from the Vista Recovery Enviroment:
http://www.bleepingcomputer.com/tutorials/tutorial142.html
I have bad news. I thought I knew where my windows vista cd was but I cannot find it anywhere. Is there another way? I am really worried now that I made the situation alot worse. Do you know why it keeps crashing in normal mode?
Blottedisk
2011-03-29, 04:04
Hi mmunoz,
I don't know what is causing the computer to crash, but it's surely malware related. This started happening after you ran aswMBR; TDL4 is one of the most difficult infections to deal with, and the tools we use to fight them need to be quite aggressive. Anyway, restoring the machine to a previous point should help.
Please go to Start and in the search box type cmd. Open cmd, and in the black screen (the console) write the following line and then press enter:
rstrui.exe/offline:c:\windows
Then follow the prompts to restore your computer to a previous state.
Blottedisk
2011-04-03, 03:57
Hi,
Are you still there?
Blottedisk
2011-04-05, 06:08
Due to the lack of feedback, this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please read the guidelines to request assistance (http://forums.spybot.info/showthread.php?t=288) and begin a New Topic.