Hello,
First of all i'm sorry for my bad english..
Spybot discovers Click.GiftLoad and removes it but it reappears again and again..
Thank you for helping me

DDS (Ver_11-03-05.01) - NTFSx86
Run by BC at 22:16:25,32 on 27/03/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.1015.376 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Emsisoft Anti-Malware *Disabled/Outdated* {0F8591BB-342B-4493-91C3-4E948ED21255}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\syncables\syncables desktop\Syncables.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\syncables\syncables desktop\MigoMapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe
C:\Documents and Settings\BC\Bureau\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_fr&c=91&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_fr&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_fr&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_fr&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {b922d405-6d13-4a2b-ae89-08a030da4402} - pdfforge Toolbar
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_Plugin.exe -update plugin
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Syncables] c:\program files\syncables\syncables desktop\Syncables.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
mRun: [a-squared] "c:\program files\emsisoft anti-malware\a2guard.exe" /d=60
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\bc\menudm~1\progra~1\dmarra~1\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xporter vers Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\bc\applic~1\mozilla\firefox\profiles\jhp5aamw.default\
FF - prefs.js: keyword.URL - hxxp://fr.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: SortPlaces: sortplaces@andyhalford.com - %profile%\extensions\sortplaces@andyhalford.com
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - Ext: CookieCuller: {99B98C2C-7274-45a3-A640-D9DF1A1C8460} - %profile%\extensions\{99B98C2C-7274-45a3-A640-D9DF1A1C8460}
FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach
.
============= SERVICES / DRIVERS ===============
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-5-10 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-5-10 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2008-9-24 103792]
R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2011-3-23 41928]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2011-3-23 11776]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-26 11608]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-5-10 25584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-3-24 532224]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2008-12-11 125424]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-3-23 2964312]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\avira\antivir desktop\sched.exe [2010-1-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-26 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-26 61960]
R2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2009-3-19 203248]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-3-23 73728]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-5-10 113664]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-2 38912]
S2 AMService;AMService; [x]
S2 Norton Internet Security;Norton Internet Security; [x]
S3 NAVENG;NAVENG; [x]
S3 NAVEX15;NAVEX15; [x]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-5-10 160256]
S3 Rts516xIR;Realtek IR Driver; [x]
.
=============== Created Last 30 ================
.
2011-03-25 18:07:43 -------- d-----w- c:\program files\ESET
2011-03-25 00:36:42 1792872 ----a-w- c:\windows\system32\HPScanMiniDrv_DJ1050_J410.dll
2011-03-25 00:36:36 267112 ----a-w- c:\windows\system32\hpinksts8911LM.dll
2011-03-25 00:36:36 232296 ----a-w- c:\windows\system32\hpinksts8911.dll
2011-03-25 00:36:35 213864 ----a-w- c:\windows\system32\hpinkcoi8911.dll
2011-03-24 21:12:53 -------- d-----w- c:\program files\CheckPoint
2011-03-24 21:10:27 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-03-24 21:10:17 -------- d-----w- c:\windows\system32\ZoneLabs
2011-03-24 21:09:54 -------- d-----w- c:\program files\Zone Labs
2011-03-24 21:08:56 -------- d-----w- c:\windows\Internet Logs
2011-03-24 21:04:13 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2011-03-24 21:04:13 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2011-03-24 21:04:12 75264 ----a-w- c:\windows\system32\unacev2.dll
2011-03-24 21:04:11 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2011-03-24 21:03:45 -------- d-----w- c:\program files\Trojan Remover
2011-03-24 19:14:13 -------- d-----w- c:\docume~1\bc\applic~1\EurekaLog
2011-03-23 21:54:19 -------- d-----w- c:\program files\Emsisoft Anti-Malware
.
==================== Find3M ====================
.
2011-02-09 13:54:09 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54:09 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 20:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 18:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:59:09 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:12 441344 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 14:04:24 1855104 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160314AS rev.0003HPM1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys SahdIa32.sys >>UNKNOWN [0x8652B439]<<
c:\windows\system32\drivers\SahdIa32.sys Sonic Solutions
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x865317d0]; MOV EAX, [0x8653184c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86543AB8]
3 CLASSPNP[0xF75E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86544918]
5 SahdIa32[0xF7609939] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8657BB00]
\Driver\atapi[0x865678C8] -> IRP_MJ_CREATE -> 0x8652B439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9160314AS_____________________________0003HPM1#56353143595a4852202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8652B27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !


:thanks:

Hi Bcath,


Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malware is very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps

Please read the following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451 )
What Should I Do If I've Become A Victim Of Identity Theft? (http://www.usdoj.gov/criminal/fraud/websites/idtheft.html#whatifvictim )
Identity Theft Victims Guide - What to do (http://www.privacyrights.org/fs/fs17a.htm )


Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063 )
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html )

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Step 1 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).


Step 2 | This next program is needed to remove the remaining malware entries I see. However, AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the infection.

After uninstalling AVG from the Control Panel, also run the AVG remover tool from their site (download AVG Remover 32bit).

http://www.avg.com/us-en/download-tools

You may also use this AppRemover to uninstall AVG:
http://www.appremover.com

AppRemover tutorial:
http://www.appremover.com/about/using-appremover.html


After uninstalling AVG, please download Combofix from any of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe )
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe )

--------------------------------------------------------------------

Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )

As requested, here's the log in zipped file...

and combofix....

When the computer reboot after the scan, there was two messages which indicate that REGT.cfxxe and regedit.exe encountered error

Thanks a lot for your help

Hi Bcath,


Well done. How's the machine running now?


Before we continue, one word of advise - You are using peer-to-peer programs, specifically BitTorrent. These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do. If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.


Please follow these steps:


Step 1 | ComboFix - CFScript

WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:


DDS::
uInternet Settings,ProxyOverride = *.local
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif

This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Step 2 | Please download CCleaner (freeware) (http://www.majorgeeks.com/download4191.html )

Run the installer.
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:


http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png

Next: click Options (in the left panel) and click the Advanced button.
Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.

Step 3 | Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php ) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Hi,
Step 1 done..
ComboFix 11-03-29.01 - BC 30/03/2011 9:35.2.2 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.1015.585 [GMT 2:00]
Lancé depuis: c:\documents and settings\BC\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\BC\Bureau\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Emsisoft Anti-Malware *Disabled/Updated* {0F8591BB-342B-4493-91C3-4E948ED21255}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Une copie infectée de c:\windows\system32\userinit.exe a été trouvée et désinfectée
Copie restaurée à partir de - c:\windows\ERDNT\cache\userinit.exe
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-02-28 au 2011-03-30 ))))))))))))))))))))))))))))))))))))
.
.
2011-03-27 20:13 . 2011-03-27 20:13 -------- d-----w- c:\program files\ERUNT
2011-03-25 18:07 . 2011-03-25 18:07 -------- d-----w- c:\program files\ESET
2011-03-25 00:36 . 2010-10-07 18:06 1792872 ----a-w- c:\windows\system32\HPScanMiniDrv_DJ1050_J410.dll
2011-03-25 00:36 . 2010-10-07 18:06 267112 ----a-w- c:\windows\system32\hpinksts8911LM.dll
2011-03-25 00:36 . 2010-10-07 18:06 232296 ----a-w- c:\windows\system32\hpinksts8911.dll
2011-03-25 00:36 . 2010-10-07 18:06 213864 ----a-w- c:\windows\system32\hpinkcoi8911.dll
2011-03-24 21:12 . 2011-03-24 21:12 -------- d-----w- c:\program files\CheckPoint
2011-03-24 21:11 . 2011-02-18 16:28 104448 ----a-w- c:\windows\system32\zlcommdb.dll
2011-03-24 21:11 . 2011-02-18 16:28 69120 ----a-w- c:\windows\system32\zlcomm.dll
2011-03-24 21:10 . 2011-02-18 16:28 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-03-24 21:10 . 2011-03-24 21:14 -------- d-----w- c:\windows\system32\ZoneLabs
2011-03-24 21:09 . 2011-03-24 21:09 -------- d-----w- c:\program files\Zone Labs
2011-03-24 21:08 . 2011-03-30 10:36 -------- d-----w- c:\windows\Internet Logs
2011-03-24 21:05 . 2011-03-26 16:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-03-24 21:04 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2011-03-24 21:04 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2011-03-24 21:04 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2011-03-24 21:04 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2011-03-23 21:54 . 2011-03-30 10:36 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-03-12 10:28 . 2011-03-12 10:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 10:28 . 2011-03-12 10:28 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-29 22:52 . 2011-03-29 22:52 4699 ----a-w- C:\ComboFix.zip
2011-02-17 18:34 . 2010-01-26 21:26 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-09 13:54 . 2011-02-09 13:54 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54 . 2011-02-09 13:54 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 20:40 . 2010-04-20 08:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 18:19 . 2010-11-11 20:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:59 . 2011-02-02 07:59 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2011-01-27 11:57 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2011-01-21 14:44 441344 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2011-01-07 14:09 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 14:04 . 2010-12-31 14:04 1855104 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-29_22.17.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-30 08:00 . 2011-03-30 08:00 16384 c:\windows\temp\Perflib_Perfdata_5b4.dat
+ 2011-03-30 06:49 . 2011-03-30 06:49 221184 c:\windows\ERDNT\AutoBackup\30-03-2011\Users\00000002\UsrClass.dat
+ 2011-03-30 06:49 . 2005-10-20 10:02 163328 c:\windows\ERDNT\AutoBackup\30-03-2011\ERDNT.EXE
+ 2011-03-30 06:48 . 2011-03-30 06:49 10043392 c:\windows\ERDNT\AutoBackup\30-03-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\program files\Eraser\eraser.exe" [2009-06-10 334224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-18 737280]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]
"Syncables"="c:\program files\syncables\syncables desktop\Syncables.exe" [2009-04-01 173360]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-17 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-10-29 249064]
"a-squared"="c:\program files\EMSISOFT ANTI-MALWARE\a2guard.exe" [2011-03-10 3438992]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-02-18 1043968]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
c:\documents and settings\BC\Menu D‚marrer\Programmes\D‚marrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [10/05/2009 16:44 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [10/05/2009 16:44 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [24/09/2008 22:09 103792]
R1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [23/03/2011 23:54 41928]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [23/03/2011 23:54 11776]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [10/05/2009 16:44 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [11/12/2008 22:46 125424]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [23/03/2011 23:54 2964312]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [26/01/2010 23:26 135336]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [19/03/2009 12:04 203248]
R3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [23/03/2011 23:54 73728]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [10/05/2009 16:39 113664]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [02/03/2009 23:03 38912]
S2 AMService;AMService; [x]
S2 Norton Internet Security;Norton Internet Security; [x]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [10/05/2009 16:40 160256]
S3 Rts516xIR;Realtek IR Driver; [x]
.
Contenu du dossier 'Tâches planifiées'
.
2011-03-30 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-16 20:12]
.
2011-03-27 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-16 20:12]
.
2011-03-26 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-16 20:12]
.
2011-03-26 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-16 20:12]
.
2011-03-30 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-03-19 10:05]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_fr&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_fr&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_fr&c=91&bd=Pavilion&pf=cnnb
IE: E&xporter vers Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\BC\Application Data\Mozilla\Firefox\Profiles\jhp5aamw.default\
FF - prefs.js: keyword.URL - hxxp://fr.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: SortPlaces: sortplaces@andyhalford.com - %profile%\extensions\sortplaces@andyhalford.com
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - Ext: CookieCuller: {99B98C2C-7274-45a3-A640-D9DF1A1C8460} - %profile%\extensions\{99B98C2C-7274-45a3-A640-D9DF1A1C8460}
FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 12:36
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwOpenFile
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(1076)
c:\program files\Emsisoft Anti-Malware\a2hooks32.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\MPR.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\idt\wdm\STacSV.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\syncables\syncables desktop\jre\bin\javaw.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\syncables\syncables desktop\MigoMapi.exe
c:\program files\Roxio\BackOnTrack\Instant Restore\UINotification.exe
.
**************************************************************************
.
Heure de fin: 2011-03-30 12:43:13 - La machine a redémarré
ComboFix-quarantined-files.txt 2011-03-30 10:43
ComboFix2.txt 2011-03-29 22:23
.
Avant-CF: 6*696*783*872 octets libres
Après-CF: 6*880*641*024 octets libres
.
- - End Of File - - 8F55184E68C181C364EDE202BF7D5B16

Step2 done and
finally step 3:
Unable to update malwarebytes'anti-Malware
(I have shut down Zone alarm but it doesn't work...)
Quick scan done

Malwarebytes' Anti-Malware 1.17
Version de la base de données: 846

14:15:40 30/03/2011
mbam-log-3-30-2011 (14-15-40).txt

Type de recherche: Examen rapide
Eléments examinés: 36424
Temps écoulé: 7 minute(s), 46 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 1
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

Thanks

About bittorrent, shall I desintall it now or after the problem was solved ?

Thanks

Hi,


It's gonna be better if you uninstall BitTorrent when we finish.

How's the machine running?

Please follow these steps:


Step 1 | Not only your Malwarebyte's Antimalware version is out of date, but also it's database version, so this won't be of any use. Please uninstall Mlawarebyte's Antimalware, restart the machine, and then download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php ) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.


Step 2 | Let's perform an ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html ).


Please go here (http://www.eset.com/onlinescan/ ) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif (Selecting Uninstall application on close if you so wish)

Hi,

The computer starts a little bit slower than usual as well as mozilla firefox the only software i use since the beginning of your help..

During the 2 steps, a warning message appears which inform me that RoxioBackOnTrack and Windows restoring system are activated ...

What should i do?

Thanks
I 'll post the logs when eset will finish the scan

Is this message from Malwarebyte's Antimalware or from ESET? Can you take a picture of it and attach it here?

Here's the logs

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Version de la base de données: 6219

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

30/03/2011 22:26:39
mbam-log-2011-03-30 (22-26-39).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 143083
Temps écoulé: 9 minute(s), 9 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 2
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\A9YA3MI1CF (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\KCSCPW1HKH (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

and

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=e21b9e5dd3491f4dbc44834e697ae210
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-26 06:16:29
# local_time=2011-03-26 07:16:29 (+0100, Paris, Madrid)
# country="France"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 438068 75969960 157509 0
# compatibility_mode=8192 67108863 100 0 4133 4133 0 0
# compatibility_mode=9217 16777214 75 70 79242 3036460 0 0
# scanned=104205
# found=8
# cleaned=8
# scan_time=43211
C:\Program Files\Application Updater\ApplicationUpdater.exe probably a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Fichiers communs\Spigot\Search Settings\SearchSettings.exe Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Fichiers communs\Spigot\wtxpcom\components\WidgiToolbarFF.dll a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Rollback Data\Restore\Current\44632\25\Target\Program Files\Application Updater\ApplicationUpdater.exe probably a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Rollback Data\Restore\Current\44632\25\Target\Program Files\Fichiers communs\Spigot\Search Settings\SearchSettings.exe Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Rollback Data\Restore\Current\44632\25\Target\Program Files\Fichiers communs\Spigot\wtxpcom\components\WidgiToolbarFF.dll a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Rollback Data\Restore\Current\44632\25\Target\Program Files\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=e21b9e5dd3491f4dbc44834e697ae210
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-31 02:14:47
# local_time=2011-03-31 04:14:47 (+0100, Paris, Madrid (heure d'été))
# country="France"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775145 100 100 878290 76410182 594131 0
# compatibility_mode=8192 67108863 100 0 444355 444355 0 0
# compatibility_mode=9217 16777214 75 70 519464 3476682 0 0
# scanned=100837
# found=0
# cleaned=0
# scan_time=20487

Hi
the warning message comes from the task bar (bottom of my screen)

Hi Bcath,


How's the machine running now?

Hi,
Everything seems to be allright
No redirect windows appears in mozilla firefox
When I boot, there was a choice between recory console and windows xp.
What should I do with this ?
Thanks

Here's a image of warning message attached

Hi Bcath,


When I boot, there was a choice between recory console and windows xp.


This is because the Recovey Console is installed in your machine. This eliminates the need for the XP CD in case you can't boot to Windows in the future.

So, just choose the Windows XP option every time you turn the computer on.


Ok, we are done. Please follow these last steps:

Step 1 | Delete ComboFix and Clean Up

The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:

ComboFix /Uninstall

Please advise if this step is missed for any reason as it performs some important actions.


Step 2 | Please download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Step 3 | Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
Download the latest version of Adobe Reader Version X (http://get.adobe.com/reader/?promoid=BUIGO ). and save it to your desktop.
Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered.
Click the download button at the bottom.
If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial: How To Remove An Installed Program From Your Computer (http://www.bleepingcomputer.com/forums/topic42133.html )
Then from your desktop double-click on Adobe Reader to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the "Adobe Setup - Welcome" window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
Click on Help and select Check for Updates.
A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
In the window that opens click Install.
Once the update is done click Close.
Your Adobe Reader is updated now.

Last Step | Now, in order to avoid future infections, please take time to read the following article:

So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279 )

Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed :

Thanks a lot
It was a pleasure
:thanks::thanks:

Bcath

You are welcome :)

Since this issue appears to be resolved, this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.