PDA

View Full Version : FraudWare Antimalware Doctor GiftLoad


Berelath
2011-03-25, 00:27
Hi.
Been browseing this forum after I got a fake program on my comp. And see serious answers, just what I need right now. Havent had any virus activity for many many years, but this one wont remove with the programs I'm familiar with.

First notice was the fake program "Antimalware Doctor" that started scanning and said I had many threats on my comp. Well aware of what programs I have installed I knew right away now my comp is infected ...

I'll try do this as easy for you as I can. Right now I finished a scan with Spybot - Search and Destroy and SUPERAntiSpyware

Spybot found: Click.GiftLoad and DoubleClick
SuperAntiS. found: Adware.Tracking Cookie and Trojan.Agent/Gen-FraudWare

Nothing removed at this point, adding DDS loggs

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ruben at 0:05:44,71 on 25.03.2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1552 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\TEMP\mlho\setup.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Documents and Settings\***\My Documents\Nedlastinger\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Påloggingshjelp for Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Smoxikovuviyakid] rundll32.exe "c:\windows\amphtPr.dll",Startup
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [AMService] c:\windows\temp\mlho\setup.exe
StartupFolder: c:\docume~1\ruben\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ruben\applic~1\mozilla\firefox\profiles\pmivcpqp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - plugin: c:\documents and settings\***\application data\mozilla\firefox\profiles\pmivcpqp.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R1 MpKsl2baccea7;MpKsl2baccea7;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6c9ea11b-4808-4cbe-9abe-b25385a8b2a4}\MpKsl2baccea7.sys [2011-3-24 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-6-2 532224]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/10/03 17:52:11];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-4-2 87536]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-8-16 10448]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2009-8-3 724736]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-12-25 27632]
S1 MpKsl07a10dc2;MpKsl07a10dc2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac5750e8-1c8f-493b-ad2a-ebd0c0814aae}\mpksl07a10dc2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac5750e8-1c8f-493b-ad2a-ebd0c0814aae}\MpKsl07a10dc2.sys [?]
S1 MpKsl27d1ded3;MpKsl27d1ded3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{834d6911-4918-4d9f-97f6-c9ba78c3a6e5}\mpksl27d1ded3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{834d6911-4918-4d9f-97f6-c9ba78c3a6e5}\MpKsl27d1ded3.sys [?]
S1 MpKsl3ecfa034;MpKsl3ecfa034;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1970355-0912-4425-a53a-20221e455846}\mpksl3ecfa034.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1970355-0912-4425-a53a-20221e455846}\MpKsl3ecfa034.sys [?]
S1 MpKsl83d6ce8d;MpKsl83d6ce8d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{36dddd9e-9d37-4722-9d53-30ee3d9cad52}\mpksl83d6ce8d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{36dddd9e-9d37-4722-9d53-30ee3d9cad52}\MpKsl83d6ce8d.sys [?]
S1 MpKsl8aa2eff4;MpKsl8aa2eff4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1970355-0912-4425-a53a-20221e455846}\mpksl8aa2eff4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1970355-0912-4425-a53a-20221e455846}\MpKsl8aa2eff4.sys [?]
S1 MpKslbcbd8be6;MpKslbcbd8be6;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1970355-0912-4425-a53a-20221e455846}\mpkslbcbd8be6.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1970355-0912-4425-a53a-20221e455846}\MpKslbcbd8be6.sys [?]
S2 AMService;AMService;c:\windows\temp\mlho\setup.exe run --> c:\windows\temp\mlho\setup.exe run [?]
S2 gupdate;Googles oppdateringstjeneste (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-2 136176]
S3 cxbu0wdm;OMNIKEY 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [2010-1-25 115712]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-12-25 13224]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-10 14336]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\sony ericsson\sony ericsson pc companion\PCCService.exe [2010-12-25 155344]
S4 IMHJXOAVOEM;IMHJXOAVOEM;c:\docume~1\ruben\locals~1\temp\imhjxoavoem.exe --> c:\docume~1\ruben\locals~1\temp\IMHJXOAVOEM.exe [?]
.
=============== Created Last 30 ================
.
2011-03-24 21:05:44 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6c9ea11b-4808-4cbe-9abe-b25385a8b2a4}\MpKsl2baccea7.sys
2011-03-24 00:26:01 -------- d-----w- c:\program files\MyDefrag v4.3.1
2011-03-24 00:24:23 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-03-24 00:24:23 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-24 00:06:47 306688 ----a-w- c:\windows\IsUn0414.exe
2011-03-23 23:42:45 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6c9ea11b-4808-4cbe-9abe-b25385a8b2a4}\mpengine.dll
2011-03-23 16:43:05 388096 ----a-r- c:\docume~1\***\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-23 16:43:04 -------- d-----w- c:\program files\Trend Micro
2011-03-22 17:42:18 -------- d-----w- c:\docume~1\***\applic~1\SUPERAntiSpyware.com
2011-03-22 17:42:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-12 11:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-03-12 11:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-03-05 12:23:56 -------- d-----w- c:\docume~1\***\applic~1\runic games
2011-03-05 12:12:21 -------- d-----w- c:\program files\Runic Games
2011-03-01 18:26:25 -------- d-----w- c:\program files\common files\Symantec Shared
2011-03-01 17:29:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-03-01 17:29:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2011-03-01 14:28:18 -------- d-----w- c:\windows\system32\Adobe
2011-02-26 16:45:51 -------- d-----w- c:\windows\SxsCaPendDel
.
==================== Find3M ====================
.
2011-02-05 10:23:31 252304 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-02-05 10:23:31 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-05 10:23:29 252304 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-04 16:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 16:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-08 03:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-08 03:27:00 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-08 03:27:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-08 03:27:00 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27:00 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27:00 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-01-08 03:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27:00 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27:00 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-01-08 03:27:00 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200KS-75PFB0 rev.21.00M21 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AEFD439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8af037d0]; MOV EAX, [0x8af0384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B012030]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AF42818]
\Driver\atapi[0x8AF6DBD8] -> IRP_MJ_CREATE -> 0x8AEFD439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD3200KS-75PFB0_____________________21.00M21#5&11df0e00&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AEFD27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 0:08:13,20 ===============
shelf life
2011-03-26, 00:03
hi Berelath,

Based on the log you shouldnt be using the computer. Make sure it has no internet connectivity, if your not sure how to do this then I would power it off.

before we begin:
You have a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. In my opinion you should consider a reformat/reinstall of Windows.
The best source for information on how to do this would be the computer manufacturers website.

We will get two downloads to use. Use tdsskiller first, then combofix.

1) Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. Vista/W7 right click and "run as admin" After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_03.21.2011_17.32.21_log.txt (name, version, date, time, log.txt)
Please post the log in your reply

2) combofix requires that you read a guide first before use. Read through the guide then apply the directions on your own machine. Post the combofix log in your reply.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Berelath
2011-03-26, 15:23
Thanks for the reply.

Things got worse. Window layout changed, as if someone used remote desktop. I did read on the other threads with same problem and was expecting this answer; "Shouldnt be using the computer" etc.
I have recently lost everything to a harddrive crash, so I wasnt any great loss to format the harddisk. So I did a reinstall, thanks to Dell for superfast reset fresh from factory installment.

Case closed I guess

If its any help I upload the logg from Spybot S&D. Forgot to add on my first post and didnt want to make a new post before I got a respond :)
shelf life
2011-03-26, 19:56
hi Berelath,

Ok thanks for the information. Sometimes a reformat can be the quickest and safest thing to do.

You should visit Windows update to get "patched' unless you receive via auto-updates.

You should also back up files every once in a while, unless you already do. This would be content you created like documents, pictures etc. Windows and software can alway be reinstalled, content you created would be lost unless you have a backup. There are many options: cd/dvd, usb sticks, free internet storage sites etc.
I can actually fit my files i want to keep on a 2GB usb drive.

I suggest a second antimalware application to go along with spybot, Malwarebytes. (http://www.malwarebytes.org/) The free version must be updated manually and a scan started manually. And last:

10 Tips for Prevention and Avoidance of Malware:

There is no reason why your computer can not stay malware free.
No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for web based applications, browser plugins and addons like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A slide show how to for securing Internet Explorer 8.0 (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) for safer surfing. How to harden FireFox. (http://threatpost.com/en_us/slideshow/How-to-configure-Mozilla-Firefox-for-secure-surfing?utm_source=Second+Sidebar&utm_medium=Featured+Slideshows&utm_campaign=Configure+Mozilla+Firefox) for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads.If you download/install files via p2p networks you will encounter malware. Malware can be named anything, be nothing but malware or have malware bundled in it. Can you really trust the source of the file?

More info/tips with pictures, links below

Happy Safe Surfing.
Berelath
2011-03-27, 00:36
Thanks for the tips.

Will use them from now on. Been too careless about protecting my computer lately.

Great site!
shelf life
2011-03-27, 18:19
OK your welcome: Happy safe surfing.