PDA

View Full Version : Click.Giftload/Rootkit (again for you guys!)


salmanc
2011-03-23, 14:28
Hi All, Goodness this Giftload virus just wont leave you guys alone!:confused:

I appreciate any help with this!:red:

Whilst i have reasonable experience removing some nasty viruses over the years, this one has truly stumped me!

I installed Avast Antivirus and its coming up with rootkit issues. XP Machine SP3.

Symptoms:
Spybot SD scan done in SafeMode - Comes up with Giftloader redirect.
Malware Antibyteware comes up with Trojan.Dripper or something along those lines, that keep coming up, even after delete.
When Google starts, first time ok, then after a few minutes if i click on a page a pop up opens and sybancif.sys (dont know if thats the correct name) comes up in Avast.
Rootkit warning comes up, and Avast warns about something in the MBR.

Assuming something is stuck in the rootkit. UTorrent Uninstalled.

Help!
_______________________________________________________________
DDS.TXT BELOW

the.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Salman at 12:15:56.51 on 23/03/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1224 [GMT 0:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\YPOPs\YPOPs.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: : {6a9ecac4-58c9-4554-b0e9-d3c294aa2e92} - c:\windows\system32\atitvo32i.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {960efb35-dc36-4cd2-9b58-a5afd33edc0a} - c:\windows\system32\cfgbkendq.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\ypops.lnk - c:\program files\ypops\YPOPs.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.euro.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: vmtbnuen - atitvo32i.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {367BDF4B-04E5-46C9-9D83-D68307F659E3} - No File
SEH: {e23136a1-1ac4-4d1b-926f-5d537cfff359} - c:\windows\system32\xxywvWPF.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 78.109.164.80 spiritnet.co.uk
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\o36bj9uc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: SeoQuake: {317B5128-0B0B-49b2-B2DB-1E7560E16C74} - %profile%\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 sacbasqj;sacbasqj;c:\windows\system32\drivers\sacbasqj.sys [2001-8-23 22016]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-22 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-22 301528]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 51440]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-22 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-22 42184]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-10-8 14976]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-1-21 2250616]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2009-8-24 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-24 136176]
S2 Norton AntiVirus Server;Norton AntiVirus Client;"c:\program files\navnt\rtvscan.exe" --> c:\program files\navnt\rtvscan.exe [?]
S3 ACT! Network Sync Service;ACT! Network Sync Service;c:\program files\act\act for windows\act network sync\Act.Framework.Synchronization.Service.exe [2009-8-24 24576]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2006-9-30 20608]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-10-7 779136]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]
S4 {28C500CA-E67F-49B6-A6BCF6841CC41D6B};{28C500CA-E67F-49B6-A6BCF6841CC41D6B};c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
.
=============== Created Last 30 ================
.
2011-03-22 17:23:17 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-22 17:22:26 40648 ----a-w- c:\windows\avastSS.scr
2011-03-22 17:06:50 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-03-22 17:06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-22 17:06:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-22 17:06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-22 17:06:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-22 13:21:26 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-22 13:21:26 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-22 13:18:54 -------- d-----w- C:\SWISNIFE
2011-03-22 13:15:48 -------- d-----w- c:\docume~1\admini~1\applic~1\tforfkhw
2011-03-22 13:15:46 -------- d-----w- c:\program files\TechHit.com
2011-03-18 16:59:08 -------- d-----w- c:\documents and settings\administrator\IECompatCache
2011-03-18 16:58:07 -------- d-----w- c:\documents and settings\administrator\PrivacIE
2011-03-18 16:55:21 -------- d-----w- c:\documents and settings\administrator\IETldCache
2011-03-18 16:15:23 -------- dc----w- c:\windows\ie8
2011-03-18 16:05:10 -------- d-----w- c:\program files\TechHit(2).com
2011-02-26 16:03:41 -------- d-----w- c:\program files\Amit Ranjan
2011-02-24 15:52:09 -------- d-----w- C:\SWISNIFE(2)
.
==================== Find3M ====================
.
2011-01-21 14:44:37 439296 ------w- c:\windows\system32\shimgvw.dll
2011-01-17 15:02:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-17 15:02:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ------w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.8.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A5E3439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5e97d0]; MOV EAX, [0x8a5e984c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A5B0AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8A5F9A48]
\Driver\atapi[0x8A5D0BF0] -> IRP_MJ_CREATE -> 0x8A5E3439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________8.16____#4a35545639303843202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5E327F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:19:16.20 ===============
Blottedisk
2011-03-23, 15:15
Hi salmanc,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Unfortunately your computer appears to have been infected by the TDL3 backdoor infection. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:


Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps


This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the
system partition and reinstalling Windows as this is the only 100% sure answer.You should not be following fixes in another threads as
those fixes are specifically for those computers.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451 )

When Should I Format, How Should I Reinstall? (http://www.dslreports.com/faq/10063 )


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Step 1 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif)
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm).


Step 2 | Please visit the following and have a look how you can disable your security software.

How to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260)

After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

--------------------------------------------------------------------

Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Blottedisk
2011-03-26, 06:02
Hi salmanc,


Are you still with us?
Blottedisk
2011-03-29, 16:03
Due to the lack of feedback, this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please read the guidelines to request assistance (http://forums.spybot.info/showthread.php?t=288 ) and begin a New Topic.