DDS.txt shows "possible TDL3 rootkit infection" after checking for Click.Giftload [Archive]

View Full Version : DDS.txt shows "possible TDL3 rootkit infection" after checking for Click.Giftload

cyfyr

2011-03-27, 20:30

PROBLEM
DDS.txt shows "possible TDL3 rootkit infection" after investigating Click.Giftload threat

RECENT HISTORY
Recently installed Mozilla Firefox to see how version 4 compared against IE6
Unfortunately did not get the AVG verdict icons working so was not fully protected when browsing
Suspect this may be the cause of the infection

Last Spybot scan NOT showing Click.Giftload
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
Checks.110326-1411.log
26.03.2011 14:11:50 - ##### check started #####
26.03.2011 14:11:50 - ### Version: 1.6.2
26.03.2011 14:11:50 - ### Date: 26/03/2011 14:11:50
26.03.2011 14:11:52 - ##### checking bots #####
26.03.2011 14:25:57 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
26.03.2011 14:25:59 - ##### check finished #####

First spybot scan showing Click.GiftLoad
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
Checks.110327-0428.log
27.03.2011 04:28:13 - ##### check started #####
27.03.2011 04:28:13 - ### Version: 1.6.2
27.03.2011 04:28:13 - ### Date: 27/03/2011 04:28:13
27.03.2011 04:28:15 - ##### checking bots #####
27.03.2011 04:28:57 - found: Click.GiftLoad User settings
27.03.2011 04:41:04 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
27.03.2011 04:41:04 - ##### check finished #####

Right Media Tracking cookie appears on the PC every now and again
I have not noticed it causing any problems and Spybot is able to remove it
Spybot was also able to remove Click.Giftload

However noticed strange IE6 activity this morning ...
Clicking on google search results often directs back to google search
Clicking on google search results sometimes directs to an unexpected web page
Browser occassionally launches a new session onto an unwanted web page (links can be supplied if required)
Firefox does not launch at all

Re-booted PC and ran Spybot scan and found Click.Giftload present again
Used Spybot to remove (and also purge) this threat

Re-ran scan later and no threats detected

Searched for Click.Giftload on your forum (and elsewhere online)
Used Zone Alarm to Stop All Internet Activity between changing web pages (though none actually observed)
Downloaded ERUNT and backed up registry
Ran DDS and found the root kit warning at the bottom the log

Unwanted browser activity continued
Ran Spybot scan and again no threats detected
This suggests that Click.Giftload itself may not be problem - just one of the problems related activities ?

Re-started PC - took several minutes longer to shut down than normal
Re-ran Spybot scan and Click.Giftload again detected
This suggests Click.Giftload is being installed during shut down or IPL - I assume by the root kit ?

Re-started PC again
Ran DDS and created DDS.txt and Attach.txt prior to removing Click.Giftload again

Start of DDS.txt (with name commented to Xxxxxx Xxxxx) --------------------------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Xxxxxx Xxxxx at 16:51:17.60 on 27/03/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2393 [GMT 1:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Documents and Settings\Xxxxxx Xxxxx\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///C:/HTML/index.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\n7khba69.default\
FF - prefs.js: browser.startup.homepage - c:\\html\\index.htm
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-3-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-3-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-3-16 243024]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-7-27 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-7-27 394952]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-3-16 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-3-16 308136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2010-7-25 2034560]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-6-25 1390976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2010-6-24 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-26 00:08:14 -------- d-----w- c:\program files\DependencyWalker
2011-03-24 23:53:37 -------- d-----w- c:\docume~1\robert~1\applic~1\GetRightToGo
2011-03-20 23:09:02 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-20 23:09:02 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-20 23:09:02 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-20 23:09:02 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-20 23:09:02 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-20 23:09:02 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-20 20:54:57 98304 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll
2011-03-20 20:54:57 89048 ----a-w- c:\program files\mozilla firefox\nssutil3.dll
2011-03-20 20:54:57 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-20 20:54:57 715736 ----a-w- c:\program files\mozilla firefox\mozcrt19.dll
2011-03-20 20:54:57 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-20 20:54:57 14121944 ----a-w- c:\program files\mozilla firefox\xul.dll
2011-03-20 20:54:57 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2011-03-20 08:34:43 -------- d--h--w- C:\$AVG
2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-19 22:39:24 -------- d-----w- c:\program files\System Tracker
2011-03-19 22:06:54 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1.dll
2011-03-19 22:03:33 -------- d-----w- C:\T3
2011-03-19 21:38:20 65593 ----a-w- c:\program files\outlook express\csapi3t1.dll
2011-03-19 21:37:02 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1_net.dll
2011-03-19 21:34:56 -------- d-----w- C:\T2
2011-03-19 19:55:42 6317328 ----a-w- c:\program files\common files\microsoft shared\proof\1036\MSGR3FR.DLL
2011-03-19 19:55:42 1100560 ----a-w- c:\program files\common files\microsoft shared\proof\3082\MSGR3ES.DLL
2011-03-19 19:55:41 854152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3ES.DLL
2011-03-19 19:55:41 633664 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3FR.DLL
2011-03-19 19:55:41 49152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTHES3.DLL
2011-03-19 19:55:41 3152704 ----a-w- c:\program files\common files\microsoft shared\proof\1033\MSGR3EN.DLL
2011-03-19 19:55:40 61512 ----a-w- c:\program files\common files\microsoft shared\proof\MSHYPH2.DLL
2011-03-19 19:55:40 576320 ----a-w- c:\program files\common files\microsoft shared\proof\MSLID.DLL
2011-03-19 19:55:40 551232 ----a-w- c:\program files\common files\microsoft shared\proof\MSSP3FR.DLL
2011-03-19 19:55:39 919696 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3ES.DLL
2011-03-19 19:55:39 408336 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3FR.DLL
2011-03-19 11:49:28 -------- d-----w- C:\T1
2011-03-16 20:13:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-03-16 20:13:41 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 20:13:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-03-16 20:13:33 -------- d-----w- c:\windows\system32\drivers\Avg
2011-03-16 19:46:03 -------- d-----w- c:\docume~1\robert~1\applic~1\AVG10
2011-03-16 18:15:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-16 17:48:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-16 17:19:20 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-15 00:00:24 -------- d-----w- c:\docume~1\robert~1\applic~1\TaskCoach
2011-03-15 00:00:15 -------- d-----w- c:\program files\TaskCoach
2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\locals~1\applic~1\Apprise
2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\applic~1\Apprise
2011-03-06 15:36:52 -------- d-----w- c:\program files\Toggl Desktop
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKS-00UU3A0 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T1L0-10
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4AE439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4b47d0]; MOV EAX, [0x8a4b484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A4D9AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000062[0x8A4E59E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A4E3940]
\Driver\atapi[0x8A5542B8] -> IRP_MJ_CREATE -> 0x8A4AE439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP3T1L0-10 -> \??\IDE#DiskWDC_WD5000AAKS-00UU3A0__________________01.03B01#5&511fad&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4AE27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:52:12.62 ===============
End of DDS.txt ------------------------------------------------------------------

The PC has not been used for ebay or internet banking for a couple of weeks and since the problem has only been around for a day there has been no opportunuity for any account information or passwords to have been captured during use.
However please can you advise whether there is any action I can take to remove the threat.
My objective is to get the PC as clean as possible - even if it requires a full drive reformat and windows re-install.
Having backed up all data last weekend I am in a good position to do this though would prefer not to if there is a better way.

THANKS in anticipation.

Blottedisk

2011-03-29, 17:31

Hi cyfyr,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.

Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.

Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063 )
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html )

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.

Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:

Step 1 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).

Step 2 | This next program is needed to remove the remaining malware entries I see. However, AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the infection.

After uninstalling AVG from the Control Panel, also run the AVG remover tool from their site (download AVG Remover 32bit).

http://www.avg.com/us-en/download-tools

You may also use this AppRemover to uninstall AVG:
http://www.appremover.com

AppRemover tutorial:
http://www.appremover.com/about/using-appremover.html

After uninstalling AVG, please download Combofix from any of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe )
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe )

--------------------------------------------------------------------

Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )

cyfyr

2011-03-30, 17:39

Hi Blottedisk,

Many thanks for replying to my post and coming to may assistance - your help and advice is very much appreciated.

The malware is definitely re-installing Click.Giftload at shutdown and/or startup and these are taking a lot longer than usual.
This must be driven by something lurking on the PC itself as the internet is physically disconnected at the time.

AVG has occassionally blocked something nasty from being accessed whilst I was connected to internet but not actually doing anything.
(see attached AVGwarning.gif)

All things considered I plan to reformat the drive and re-install Windows etc as this is the only way to be 100% safe.
This is likely to be done/completed this weekend afterwhich I will re-run the DDS scan and post the results.

In the meantime the PC will remain physically disconnected from the internet most of the time and restarts avoided.

Thanks once again for you help.

Blottedisk

2011-03-30, 19:43

Hi cyfyr,

You are welcome :bigthumb:

Reformatting and disconnecting this machine from the Internet are the wisest choices you can make.

I will keep this topic open so you can post your new DDS log next week. In case you need some help regarding the format/install process, I will be here also.

cyfyr

2011-04-04, 22:06

The Windows re-install has now been more or less completed.
An early Spybot scan found DoubleClick and Smitfraud-C.
Not sure where these came from as I had not managed to reconnect to the internet at that time !
Thankfully they were successfully removed and have not reappeared.

DDS has been ran and the output posted / attached (with my name 'X'ed out).
The text does not contain any "warn", "root", "robot", "trojan", "malware" so I believe the PC is clean.

-------- DDS.TXT -------- Start --------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Xxxxxx Xxxxx at 19:56:23.89 on 04-04-2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2408 [GMT 1:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system\HsMgr.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///C:/HTML/Index.htm
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
mRun: [Cmaudio8788GX] c:\windows\system\HsMgr.exe Envoke
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\xxxxxx~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301854820531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-4-2 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-4-2 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-4-2 243024]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2011-4-2 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-4-2 394952]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-4-2 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-4-2 308136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2011-4-1 2034560]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-4-1 1390976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-03 21:39:44 -------- d-----w- c:\windows\system32\winrm
2011-04-03 21:39:40 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-04-03 20:08:17 293376 ------w- c:\windows\system32\browserchoice.exe
2011-04-03 19:44:44 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-04-03 19:02:06 -------- d-----w- c:\docume~1\xxxxxx~1\locals~1\applic~1\ApplicationHistory
2011-04-03 18:54:23 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-04-03 18:54:23 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-04-03 18:54:22 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-04-03 18:54:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-04-03 18:52:12 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-04-03 18:52:12 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-04-03 18:44:54 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\Windows Desktop Search
2011-04-03 18:44:30 -------- d-----w- c:\windows\system32\GroupPolicy
2011-04-03 18:44:30 -------- d-----w- c:\program files\Windows Desktop Search
2011-04-03 18:43:39 -------- d-----w- c:\program files\Windows Media Connect 2
2011-04-03 18:42:24 -------- d-----w- c:\windows\system32\LogFiles
2011-04-03 18:41:20 -------- d-----w- c:\windows\system32\URTTEMP
2011-04-03 18:23:03 -------- d-----w- c:\windows\system32\PreInstall
2011-04-03 18:23:02 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-03 18:23:01 -------- d--h--w- c:\windows\$hf_mig$
2011-04-03 18:20:58 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-04-03 18:20:58 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-04-03 18:20:57 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-04-03 18:20:57 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-04-03 18:20:57 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-04-03 10:08:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-03 10:08:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-02 22:22:13 -------- d-----w- c:\program files\SonicWallES
2011-04-02 22:21:41 -------- d-----w- c:\docume~1\xxxxxx~1\locals~1\applic~1\Identities
2011-04-02 18:51:55 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-04-02 17:50:38 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\MailFrontier
2011-04-02 17:43:17 1734688 --sha-w- c:\windows\system32\drivers\fidbox.dat
2011-04-02 17:39:12 75248 ----a-w- c:\windows\zllsputility.exe
2011-04-02 17:38:18 1086952 ----a-w- c:\windows\system32\zpeng24.dll
2011-04-02 17:38:15 -------- d-----w- c:\windows\system32\ZoneLabs
2011-04-02 17:38:15 -------- d-----w- c:\program files\Zone Labs
2011-04-02 16:00:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-02 16:00:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-02 15:15:42 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-04-02 15:15:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2011-04-02 15:15:38 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-04-02 15:15:37 -------- d-----w- c:\windows\system32\drivers\Avg
2011-04-02 15:15:33 -------- d-----w- c:\program files\AVG
2011-04-02 15:15:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\avg9
2011-04-02 14:25:20 -------- d-s---w- c:\documents and settings\xxxxxx xxxxx\UserData
2011-04-02 11:59:28 11264 ----a-w- c:\windows\system32\SpOrder.dll
2011-04-02 11:58:51 -------- d-----w- c:\windows\Internet Logs
2011-04-01 22:47:32 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-04-01 20:57:01 -------- d-----w- c:\windows\pss
2011-04-01 19:52:17 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\Desktop
2011-04-01 19:13:10 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\OpenOffice.org
2011-04-01 19:12:21 -------- d-----w- C:\DJGPP
2011-04-01 19:12:17 -------- d-----w- C:\HTML
2011-04-01 19:12:02 -------- d-----w- C:\LiveData
2011-04-01 19:10:29 -------- d-----w- C:\Backups
2011-04-01 18:46:19 -------- d-----w- C:\temp
2011-04-01 18:46:18 160951 ------w- c:\windows\system32\drivers\gtipdsp_.bin
2011-04-01 18:46:17 24576 ----a-w- c:\windows\system32\CoInst.dll
2011-04-01 18:46:17 160963 ----a-w- c:\windows\system32\drivers\gtipdsp.bin
2011-04-01 18:46:17 148338 ----a-w- c:\windows\system32\drivers\gwausb.sys
2011-04-01 18:46:15 12288 ------w- c:\windows\system32\CplEng.dll
2011-04-01 18:46:14 -------- d-----w- c:\program files\Voyager 105 ADSL Modem
2011-04-01 18:40:10 247808 ----a-w- c:\windows\system32\newdev_5_1_2600_5512.dll
2011-04-01 18:40:10 1388816 ----a-w- c:\windows\system32\shell32_Win98.DLL
2011-04-01 18:40:10 113936 ----a-w- c:\windows\system32\newdev_5_0_2146_1.dll
2011-04-01 18:23:48 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-01 18:23:48 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-01 18:22:40 163840 ----a-w- c:\windows\BJPSUNST.EXE
2011-04-01 18:21:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-01 18:21:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-01 18:21:56 1060864 ----a-w- c:\windows\system32\MFC71.dll
2011-04-01 18:21:54 306688 ----a-w- c:\windows\IsUninst.exe
2011-04-01 18:21:17 -------- d-----w- c:\windows\StartHtmico
2011-04-01 18:20:59 8704 ----a-w- c:\windows\system32\CNMVS7A.DLL
2011-04-01 18:20:59 59392 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP7A.DLL
2011-04-01 18:20:59 20992 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD7A.DLL
2011-04-01 18:20:59 140288 ----a-w- c:\windows\system32\CNMLM7A.DLL
2011-04-01 18:20:58 90112 ----a-r- c:\windows\system32\CNMCP7A.exe
2011-04-01 18:20:03 263978 ----a-w- c:\windows\system32\CNMNPPM.DLL
2011-04-01 18:20:03 117322 ----a-w- c:\windows\system32\CNMNPUI.DLL
2011-04-01 18:20:03 -------- d-----w- c:\program files\Canon
2011-04-01 18:04:30 -------- d-----w- c:\docume~1\xxxxxx~1\locals~1\applic~1\ATI
2011-04-01 18:04:11 0 ----a-w- c:\windows\ativpsrm.bin
2011-04-01 18:01:50 -------- d-----w- c:\program files\common files\ATI Technologies
2011-04-01 18:00:04 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-04-01 17:59:51 -------- d-----w- c:\program files\ATI Technologies
2011-04-01 17:59:13 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-04-01 17:59:13 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-04-01 17:59:13 221184 ------w- c:\program files\common files\installshield\iscript\IScript.dll
2011-04-01 17:59:13 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-04-01 17:59:13 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-04-01 17:58:56 -------- d-----w- C:\AMD
2011-04-01 17:53:32 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2011-04-01 17:53:32 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-04-01 17:53:32 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-04-01 17:53:31 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-04-01 17:53:31 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-04-01 17:53:31 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-04-01 17:53:31 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-04-01 17:53:31 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-04-01 17:49:27 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
2011-04-01 17:49:27 142336 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
2011-04-01 17:49:18 -------- d-----w- c:\program files\Realtek
2011-04-01 17:42:42 331184 ------w- c:\windows\system32\difxapi.dll
2011-04-01 17:42:41 -------- d-----w- c:\program files\VIA
2011-04-01 17:39:54 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-04-01 17:39:53 53248 ----a-r- c:\windows\system32\CSVer.dll
2011-04-01 17:39:43 -------- d-----w- C:\Intel
2011-04-01 17:38:21 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys
2011-04-01 17:38:17 10296 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS
2011-04-01 17:26:42 -------- d-----w- c:\program files\JRE
2011-04-01 17:26:40 -------- d-----w- c:\program files\OpenOffice.org 3
2011-04-01 17:26:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-01 17:26:33 411368 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-01 17:23:48 -------- d-----w- c:\program files\MSECache
2011-04-01 17:20:08 -------- d-----w- C:\Downloads
2011-04-01 17:18:45 -------- d-----w- C:\Downloads_Old
2011-04-01 15:00:24 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
.
==================== Find3M ====================
.
2011-04-01 17:54:18 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-04-01 17:54:18 102400 ----a-w- c:\windows\system32\OpenAL32.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 19:57:33.48 ===============--------

DDS.TXT -------- Finish --------

Thanks once again for your help - it is greatly appreciated.

Blottedisk

2011-04-05, 01:20

Hi cyfyr,

Your log is looking good. However it shows that you are operating your computer with multiple Anti Virus programs running in memory at once:

AVG
ZoneAlarm

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having more than one program running at the same time can cause your computer to run very slow, become unstable, conflicts, errors, false positives, etc...

Please go to Start --> Run and type appwiz.cpl and press enter. Uninstall either AVG or ZoneAlarm.

When finished, please go to the following site to scan a file: Virus Total (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.virustotal.com )

Click on Browse, and upload the following files for analysis:

c:\windows\system32\newdev_5_1_2600_5512.dll
c:\windows\system32\shell32_Win98.DLL
c:\windows\system32\newdev_5_0_2146_1.dll
c:\windows\BJPSUNST.EXE

Then click Submit. Allow the files to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

cyfyr

2011-04-06, 00:12

Many thanks for reviewing the log - I'm pleased its looking good !

The anti-virus part of Zone Alarm is actually switched off at present (and is flagged as disabled in DDS.TXT).
However once everything is back to normal I will in any case be seeking to replace it completely with whatever freeware is currently best (though I do like the way ZA works).
May also review AVG as well.
For now AVG (and Spybot) scans will be done manually so I am hopeful this will avoid resource / confilct issues.

I think I can explain three of the DLL issues.
The WinXP build installed newdev.dll version 5.1.2600.5512.
Unfortunately this prevents the install of the Voyager 105 USB modem driver.
The workround from the internet is to use Safe Mode to temporarily install an older version that does allow the install and having first overcome this problem last year I still had a copy of earlier version 5.0.2146.1.
A backup copy of each file has been left in place beside with the live newdev.dll in case needed in future ...
newdev_5_1_2600_5512.dll
newdev_5_0_2146_1.dll

Having retired my Win98 machine only last year I still prefer Windows Classic view.
Unfortunately I have not been able to find some of the Windows Classic icons on WinXP yet.
I therefore transferred the shell32.dll containing the icons from the Win98 machine (but renamed it to avoid problems with the WinXP shell32.dll).
shell32_Win98.DLL

BJPSUNST.EXE has been uploaded to the VirusTotal website and examined as follows ...

-------- Virus Total output -------- Start --------

File name: BJPSUNST.EXE
Submission date: 2011-04-05 21:30:33 (UTC)
Current status: queued (#2) queued (#2) analysing finished

Result: 0/ 42 (0.0%)
VT Community

not reviewed
Safety score: -

Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.04.06.01 2011.04.05 -
AntiVir 7.11.5.201 2011.04.05 -
Antiy-AVL 2.0.3.7 2011.04.05 -
Avast 4.8.1351.0 2011.04.05 -
Avast5 5.0.677.0 2011.04.05 -
AVG 10.0.0.1190 2011.04.05 -
BitDefender 7.2 2011.04.05 -
CAT-QuickHeal 11.00 2011.04.05 -
ClamAV 0.97.0.0 2011.04.05 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8233 2011.04.05 -
DrWeb 5.0.2.03300 2011.04.05 -
Emsisoft 5.1.0.5 2011.04.05 -
eSafe 7.0.17.0 2011.04.05 -
eTrust-Vet 36.1.8255 2011.04.05 -
F-Prot 4.6.2.117 2011.04.05 -
F-Secure 9.0.16440.0 2011.04.05 -
Fortinet 4.2.254.0 2011.04.05 -
GData 22 2011.04.05 -
Ikarus T3.1.1.103.0 2011.04.05 -
Jiangmin 13.0.900 2011.03.31 -
K7AntiVirus 9.96.4303 2011.04.05 -
Kaspersky 7.0.0.125 2011.04.05 -
McAfee 5.400.0.1158 2011.04.05 -
McAfee-GW-Edition 2010.1C 2011.04.05 -
Microsoft 1.6702 2011.04.05 -
NOD32 6017 2011.04.05 -
Norman 6.07.07 2011.04.05 -
Panda 10.0.3.5 2011.04.05 -
PCTools 7.0.3.5 2011.04.04 -
Prevx 3.0 2011.04.05 -
Rising 23.51.05.05 2011.04.02 -
Sophos 4.64.0 2011.04.05 -
SUPERAntiSpyware 4.40.0.1006 2011.04.05 -
Symantec 20101.3.2.89 2011.04.05 -
TheHacker 6.7.0.1.167 2011.04.05 -
TrendMicro 9.200.0.1012 2011.04.05 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.05 -
VBA32 3.12.14.3 2011.04.05 -
VIPRE 8930 2011.04.05 -
ViRobot 2011.4.5.4394 2011.04.05 -
VirusBuster 13.6.288.0 2011.04.05 -

Additional informationShow all

MD5 : b4957d508be8b9f68a76fdc2d89a3844
SHA1 : 4745f2725c3509eaa3b431d078720dea877309de
SHA256: 4809834eed7907d24ee64a046bbf07a91f3735026676d2ca75aff9388b652e9d
ssdeep: 3072:huAX+61fJkOHOH2btymPnXkAWq87NfIiHglKygFE7hu:huJ0f0WbtxPM1IiTygF

File size : 163840 bytes
First seen: 2009-07-01 15:55:39
Last seen : 2011-04-05 21:30:33
TrID:
Win64 Executable Generic (54.6%)
Win32 Executable MS Visual C++ (generic) (24.0%)
Windows Screen Saver (8.3%)
Win32 Executable Generic (5.4%)
Win32 Dynamic Link Library (generic) (4.8%)
sigcheck:
publisher....: CANON INC.
copyright....: Copyright CANON INC. 2003 All Rights Reserved
product......: BJPSUNST.EXE
description..: BJPSUNST
original name: BJPSUNST.EXE
internal name: BJPSUNST
file version.: 1, 0, 0, 0
comments.....: BJPSUNST
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: Armadillo v1.71
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x356B
timedatestamp....: 0x4004353C (Tue Jan 13 18:13:16 2004)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1430E, 0x15000, 6.47, 79fe2b51d047930d3bc0b451496b7b76
.rdata, 0x16000, 0x4A3C, 0x5000, 4.62, 5749e3fb015af16cdb41e889887cb09e
.data, 0x1B000, 0x6F1C, 0x4000, 1.82, b350b45b0436ecf9a34212ea5881dff5
.rsrc, 0x22000, 0x8900, 0x9000, 4.54, f4ef2db2576614102bbd0668d470c882

[[ 8 import(s) ]]
KERNEL32.dll: GetCurrentDirectoryA, GetModuleHandleA, GlobalFindAtomA, GlobalAddAtomA, GlobalGetAtomNameA, GetVersion, GetProcessVersion, SetErrorMode, FileTimeToSystemTime, FileTimeToLocalFileTime, TlsGetValue, GlobalFlags, LocalReAlloc, GetStartupInfoA, GetCommandLineA, ExitProcess, TerminateProcess, HeapFree, HeapAlloc, RaiseException, HeapReAlloc, HeapSize, GetACP, GetTimeZoneInformation, GetCPInfo, TlsSetValue, RtlUnwind, FreeEnvironmentStringsW, GetOEMCP, LeaveCriticalSection, SystemTimeToFileTime, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetUnhandledExceptionFilter, GetDriveTypeA, IsBadReadPtr, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetPrivateProfileStringA, LoadLibraryA, DeleteFileA, GetLastError, RemoveDirectoryA, FreeLibrary, GetVersionExA, GetModuleFileNameA, MoveFileExA, GetWindowsDirectoryA, lstrcatA, EnterCriticalSection, GlobalReAlloc, GlobalUnlock, TlsFree, GlobalHandle, TlsAlloc, GlobalFree, DeleteCriticalSection, FindNextFileA, InitializeCriticalSection, LocalAlloc, lstrcpyA, GetFullPathNameA, GetVolumeInformationA, SetEndOfFile, GetProcAddress, FlushFileBuffers, UnlockFile, LockFile, ReadFile, SetFilePointer, WriteFile, SetLastError, GetCurrentProcess, DuplicateHandle, SetFileTime, SetFileAttributesA, CreateFileA, GetEnvironmentStrings, LocalFileTimeToFileTime, FindFirstFileA, WritePrivateProfileStringA, FindClose, lstrcpynA, GetFileTime, GetFileSize, GetFileAttributesA, LocalFree, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, CloseHandle, GlobalLock, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, SetHandleCount, UnhandledExceptionFilter, FreeEnvironmentStringsA
USER32.dll: RegisterWindowMessageA, SetForegroundWindow, GetForegroundWindow, GetMessagePos, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, SetPropA, GetClassLongA, CreateWindowExA, DestroyWindow, DefWindowProcA, GetMenuItemID, GetSubMenu, GetMenu, RegisterClassA, GetClassInfoA, WinHelpA, GetTopWindow, CopyRect, GetClientRect, AdjustWindowRectEx, GetSysColor, MapWindowPoints, LoadIconA, GetSysColorBrush, DestroyMenu, SetWindowLongA, GetWindowPlacement, SystemParametersInfoA, ShowWindow, SetFocus, GetDlgItem, GrayStringA, DrawTextA, TabbedTextOutA, ReleaseDC, GetDC, GetMenuItemCount, GetWindowTextA, SetWindowTextA, GetWindow, GetDlgCtrlID, GetWindowRect, PtInRect, GetClassNameA, LoadCursorA, GetCapture, GetSystemMetrics, CharUpperA, wsprintfA, UnhookWindowsHookEx, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageA, GetCursorPos, SetWindowsHookExA, GetParent, GetLastActivePopup, IsWindowEnabled, GetWindowLongA, IsIconic, SetWindowPos, MessageBoxA, EnableWindow, SetCursor, SendMessageA, PostQuitMessage, PostMessageA, GetDesktopWindow, LoadStringA, ClientToScreen, UnregisterClassA
GDI32.dll: SaveDC, SelectObject, GetStockObject, SetBkColor, SetTextColor, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, DeleteObject, DeleteDC, GetDeviceCaps, RectVisible, TextOutA, PtVisible, Escape, ExtTextOutA, GetObjectA, RestoreDC, CreateBitmap
comdlg32.dll: GetFileTitleA
WINSPOOL.DRV: DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll: RegCloseKey, RegQueryValueExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegOpenKeyExA, RegSetValueExA
SHELL32.dll: SHGetSpecialFolderLocation, SHGetMalloc, SHGetPathFromIDListA, SHGetSpecialFolderPathA
COMCTL32.dll: -

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 86016
Comments: BJPSUNST
CompanyName: CANON INC.
EntryPoint: 0x356b
FileDescription: BJPSUNST
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 160 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 1, 0, 0, 0
FileVersionNumber: 1.0.0.0
ImageVersion: 0.0
InitializedDataSize: 86016
InternalName: BJPSUNST
LanguageCode: Japanese
LegalCopyright: Copyright CANON INC. 2003 All Rights Reserved
LinkerVersion: 6.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
OriginalFilename: BJPSUNST.EXE
PEType: PE32
ProductName: BJPSUNST.EXE
ProductVersion: 1, 0, 0, 0
ProductVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2004:01:13 19:13:16+01:00
UninitializedDataSize: 0

-------- Virus Total output -------- Finish --------

I suspect this is something to do with my Canon printer.
The date time stamp on the file itself would be about right for that as Canon drivers were installed just before the Voyager 105 USB modem.

Hopefully this means everything is now okay ?

Blottedisk

2011-04-06, 02:04

Hi cyfyr,

Thanks for the clarification :bigthumb:

Then its everything fine. Let's run two last scans just to be more certain that there's nothing in there:

Step 1 | Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php ) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Step 2 | Let's perform an ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html ).

Please go here (http://www.eset.com/onlinescan/ ) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif (Selecting Uninstall application on close if you so wish)

cyfyr

2011-04-07, 01:26

Hi Blottedisk,

Followed the instructions for step 1 as follows ...

Downloaded the file from CNET
Internet Explorer showed the yellow warning bar ...
To help protect your security, Internet Explorer blocked this site from downloading files to your computer
I am never really sure when to bypass this warning.
I assume if it happens in response to something I have initiated then it should be reasonably safe.

Allowed the download, installed, allowed the database update, ran the quick scan ...

---------- First M-AM quick scan ---------- Start

Scan type: Quick scan
Objects scanned: 140792
Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------- First M-AM quick scan ---------- Finish

From the name of the infected registry data item I guessed this was because I have switched off automatic windows update and also the notification about this

Switched this back on using ...
- Start > Control Panel > Security Center >
- - Resources (blue text on left panel)
- - - Change the way Security Centre alerts me

Re-ran the quick M-AM scan and this time no problems found (I think) ...

---------- Second M-AM quick scan ---------- Start

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6290

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

06-04-2011 22:56:56
mbam-log-2011-04-06 (22-56-56).txt

Scan type: Quick scan
Objects scanned: 140737
Time elapsed: 1 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------- Second M-AM quick scan ---------- Finish

Ran full M-AM scan - also allowing it to scan the external USB drive(s) used to hold my data backup(s).
AVG Resident Shield notified me of a tracking cookie (...@revisc[1].txt) during this - ran a Spybot scan afterwards but nothing malicious found.

---------- M-AM full scan ---------- Start

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6290

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

06-04-2011 23:23:17
mbam-log-2011-04-06 (23-23-17).txt

Scan type: Full scan (C:\|E:\|F:\|)
Objects scanned: 185748
Time elapsed: 23 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------- M-AM full scan ---------- Finish

The ESET online scanner will be used tomorrow evening (Thr).
The PC will remain disconnected from the internet until then.
Many thanks again for your help.

cyfyr

2011-04-07, 23:44

Finally found time to action the instructions for step 2.
The log is as follows ...

---------- ESET scan ---------- Start

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=2e3f53989a2aff4a9bc6f2376ed4f4f4
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-07 09:17:22
# local_time=2011-04-07 10:17:22 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777191 100 0 451481 451481 0 0
# compatibility_mode=8192 67108863 100 0 300 300 0 0
# compatibility_mode=9217 16777193 100 67 442760 86619318 0 0
# scanned=30574
# found=0
# cleaned=0
# scan_time=2228

---------- ESET scan ---------- Finish

There were no warnings displayed either during or after the scan.

ESET did not uninstall afterwards and does not appear within the Control Panel "Add or Remove Programs" list.
I dont really want to leave it in place if not compatible with AVG so I assume I run its own uninstaller ?
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe

Hopefully this now means the PC is in a clean state of health ?

Blottedisk

2011-04-08, 05:14

Good evening cyfyr,

From the name of the infected registry data item I guessed this was because I have switched off automatic windows update and also the notification about this

Switched this back on using ...
- Start > Control Panel > Security Center >
- - Resources (blue text on left panel)
- - - Change the way Security Centre alerts me

Re-ran the quick M-AM scan and this time no problems found (I think) ...

Yes, that item found by Malwarebyte's has to do with the notifications from security centre - so it's everything fine :bigthumb:

I dont really want to leave it in place if not compatible with AVG so I assume I run its own uninstaller ?
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe

In fact ESET is compatible with AVG (it's just an online scanner, not a real time antivirus, it does not run in your machine all the time). However if you would like to uninstall it's components from your machine, the the OnlineScannerUninstaller.exe would be a good choice.

Alright, the Format was successful and now we can safely state that the machine is clean. Please follow this last procedure:

Step 1 | Please download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe ) to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Step 2 | Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Click on the following link to visit java website: Java Runtime Environment (JRE) 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html )

Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
Click the "Download" button to the right column (JRE).
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

Step 3 | Now that you uninstalled the Zone Alarm suite I don't see any evidence of a 3rd Party Firewall installed on your computer. As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access from the outside world. Firewalls protect against hackers and malicious intruders.

I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in both directions... from one of these vendors:

Comodo (http://personalfirewall.comodo.com/download_firewall.html ) (Is now bundled with AV software, toolbar and search provider. Opt to install only the firewall software... uncheck the rest)
Online Armor Free (http://www.tallemu.com/downloads.php ) (Free version at bottom of page (XP/Vista/W7 (32bit).) 64bit version not available yet. Some reported conflicts with Avira AntiVir.
ZoneAlarm (http://download.cnet.com/ZoneAlarm/3000-10435_4-10039884.html ) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
Ashampoo (http://www.download.com/Ashampoo-FireWall/3000-10435_4-10575187.html )

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a very basic firewall. This (XP) firewall is NO replacement for a dedicated software solution. Remember to install and have active, only one firewall at the same time. If you install one of these firewalls, remember to turn off Windows' firewall.

Last Step | Now, in order to avoid future infections, please take time to read the following article:

So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279 )

Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed :)

cyfyr

2011-04-08, 22:52

Hi Blottedisk,

I checked the thread several times today before finally realising there was a second page containing your latest reply (!).
I confirm I have now read this and will be actioning the remaining steps over the weekend so please keep the thread open little longer.

Many thanks for your continued assistance.

Blottedisk

2011-04-09, 01:47

Hi cyfyr,

Then I will keep this thread open :)

cyfyr

2011-04-10, 01:40

If ESET can remain then I will keep it installed.
I can use this as an extra scan in conjunction with AVG and Spybot scans I perform to make sure the PC is clean before doing any kind of online banking.
Will also run Malwarebytes Anti-Malware and dds.scr and look for any suspicious differences since the last scan (as well as obvious warnings of infections and root kits !)

Many thanks again for your help further advice - it has all been gratefully received.
All of the steps have now been completed as follows ...

Step 1:
Ran OTC and allowed reboot
Both dds.scr and OTC itself were no longer present on the Desktop after reboot

Step 2:
Removed Java(TM) 6 Update 20
Confirmed no other Java related programs visible and rebooted
Installed Java(TM) 6 Update 24 and deleted the temporary files
Also switched off automatic updates - as with windows updates I prefer to do these manually as then I know what is accessing the internet

Step 3:
Decided to upgrade to the latest Zone Alarm 9.2.105 to keep things reasonably familiar ... but ...

After the install it was not possible to launch ZA from the icon on the right of the Taskbar
Hovering the mouse over this displayed "Protection is up, UI is initializing"
Could not run ZA from the new desktop shortcut either
Zlclient could not be cancelled from Task Manager
Tried using MSCONFIG to disallow zlclient from the Startup tab but it made no difference and zlclinet re-appeared within the Startup tab (I assume because this is its default preference when installed)
Eventually resolved this accidentally by using MSCONFIG Startup tab to disallow "jusched" (java update schedule)
Unfortunately the fix did not "last" and the problem returned even when jusched was disallowed

A second problem also exists in that when already connected to the internet my initial attempt to click a link to (eg, google) hangs for 10-15 seconds then fails (though refresh and further attempts are usually okay).
My investigations last year found this problem was introduced after ZA 7.0.483.000 (which I was previously using) but I was not able to solve it.

Decided to put the old version back for now as its better than nothing and does give me a working internet stop.

Last step:
Looked at the "How did I get infected" article and actioned the main points as follows ...
1: Will not be using peer-to-peer.
2: Will be keeping Windows updated - albeit manually under my control.
3: Java will be updated as for windows.
4: The IE settings have been checked - only one of them needed adjusting.
5: Spyware Blaster 4.4 has been installed, updated and the various protections enabled.
6: Confirmed Spybot has applied immunization.
7: Read the firewall comparisons and will give Comodo or Outpost a try in the near future.
- For now though its the old-but-useable ZA with internet lock.
8: Anti-virus will remain with AVG in order to get verdict icons on search engine results.

Will also be looking at WOT, Process Explorer and Process Monitor recommended later in the thread and generally get myself better educated on these kind of issues !

Does this now mean the PC is both clean and safe ?

Blottedisk

2011-04-10, 03:10

Hi cyfyr,

You are welcome :bigthumb:

Nice security set-up. With those programs, configuration and a safe networking practices I doubt you will ever get infected again :)

Regarding ZA, It seems it's a a software issue. You can try Comodo or Outpost (I've used both and they are nice). Or, you can ask for help on that ZA issue. I'd recommend you a forum that we work hand to hand with: WhattheTech (http://forums.whatthetech.com/index.php?showforum=124). Like Safer Networking, it's free, and you will need to create an account to ask for help.

The format was successful, and your computer is now clean and safe.

cyfyr

2011-04-10, 20:17

Great stuff !

Thanks for the forum recommendation.
I may well progress the ZA issue in the near future depending on how I take to Comodo etc.

I will just say a final THANK YOU for your help.
Looking round the Spybot forums I am very impressed by the level of knowledge that is evident but even more impressed by the teams dedication in giving of their time to help people out.
This being so I have made a small paypal donation to help fund the work.

THANKS again and please feel free to close the thread.
cyfyr.

Blottedisk

2011-04-10, 21:01

You are welcome cyfyr - Thanks for considering a donation to the site :bigthumb:

Take Care,
Blottedisk.

Since this issue appears to be resolved, this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.