PDA

View Full Version : yet another click.giftload, please help


Lex33
2011-04-12, 17:55
Thank you in advance, you certainly have been busy lately.
The strange thing is that I NEVER saw any symptoms until I ran spybot for the first time, just to check my computer, it found stuff: here is original report:

--- Report generated: 2011-04-12 08:43 ---

Click.GiftLoad: [SBI $89783858] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

DoubleClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


WebTrends live: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


CoreMetrics: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Adviva: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Tradedoubler: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Tradedoubler: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Adviva: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Tradedoubler: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Clickbank: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


HitsLink: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Tradedoubler: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)



***************************************

The spybot found the click.giftload, claimed to have removed, and upon immediate scan, claims all is clean, but restart will show again. here is next report after running again after restart report:


--- Report generated: 2011-04-12 09:46 ---

Click.GiftLoad: [SBI $89783858] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

DoubleClick: Tracking cookie (Internet Explorer: Alex) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Alex (default)) (Cookie, fixed)


******************************************
******************************************

Here is DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Alex at 10:19:49.75 on Tue 04/12/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1031 [GMT -4:00]
.
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {0999A73F-2CF1-4E10-84EA-B19A97A475B2}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\Program Files\National Instruments\Shared\NI WebServer\SystemWebServer.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OEM13Mon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe
C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
C:\WINDOWS\system32\nipxism.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\VXIPNP\WinNT\NIvisa\niLxiDiscovery.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Alex\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = phproxy1:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\alex\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageworkstation\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageworkstation\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NI Background Service] c:\program files\national instruments\shared\update service\niupdate.exe
mRun: [niDevMon] c:\program files\national instruments\ni-daq\hwconfig\nidevmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\alex\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\alex\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243446752109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\33x53y5m.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\alex\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\alex\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\alex\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\alex\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\alex\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv2010win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv85win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv86win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nplv90win32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Move Media Player: http://forums.spybot.info/misc.php?do=email_dev&email=bW92ZXBsYXllckBtb3ZlbmV0d29ya3MuY29t - c:\documents and settings\alex\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2010-3-24 15448]
R0 nipxibaf;National Instruments PXI Bridge Access Driver;c:\windows\system32\drivers\nipxibaf.sys [2010-6-21 58504]
R0 nipxibrc;National Instruments PXI Bridge Configuration Driver;c:\windows\system32\drivers\nipxibrc.sys [2010-6-21 42136]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-1-12 218176]
R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2010-3-24 12696]
R2 NIApplicationWebServer;NI Application Web Server;c:\program files\national instruments\shared\ni webserver\ApplicationWebServer.exe [2010-6-22 47776]
R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [2007-4-16 37376]
R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [2007-4-16 21504]
R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\nidaq32k.sys [2007-4-16 674304]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2010-3-24 12696]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [2007-4-16 50688]
R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\vxipnp\winnt\nivisa\niLxiDiscovery.exe [2010-6-23 131776]
R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\national instruments\shared\mdns responder\nimdnsResponder.exe [2010-7-30 194224]
R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [2007-4-16 30208]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2010-6-14 11416]
R2 nistck;nistck;c:\windows\system32\drivers\niSTCk.dll [2007-4-16 111616]
R2 nistreamk;nistreamk;c:\windows\system32\drivers\nistreamkl.sys [2010-6-17 19608]
R2 nitsuu;nitsuu;c:\windows\system32\nipalsm.exe [2010-3-24 12696]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2010-6-23 11432]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\rosettastoneltdservices\RosettaStoneDaemon.exe [2009-9-3 444224]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-1-5 52304]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2008-11-26 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2008-11-26 36432]
R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2010-6-11 11432]
R3 NIEthernetDeviceEnumerator;NI Ethernet Device Enumerator Driver;c:\windows\system32\drivers\niede.sys [2010-11-19 32432]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2009-8-24 11360]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2010-7-11 11944]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-1-19 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-1-19 43608]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-1-19 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-1-19 235840]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-11-18 689416]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-17 135664]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-19 30192]
S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2008-12-5 20104]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2010-6-21 26192]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2010-6-21 11344]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2010-6-21 22608]
S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2009-12-15 17480]
S3 ni5690k;ni5690k;c:\windows\system32\drivers\ni5690kl.sys [2009-11-4 11328]
S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2010-7-2 11352]
S3 nicmrk;nicmrk;c:\windows\system32\drivers\nicmrkl.sys [2010-7-22 11952]
S3 nicondrk;nicondrk;c:\windows\system32\drivers\nicondrkl.sys [2010-7-22 11912]
S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [2010-7-22 11920]
S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2010-7-16 11920]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2010-7-12 11928]
S3 nidwgk;nidwgk;c:\windows\system32\drivers\nidwgkl.sys [2010-2-19 11360]
S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2010-7-22 11920]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2010-7-19 11920]
S3 nihsdrk;nihsdrk;c:\windows\system32\drivers\nihsdrkl.sys [2009-12-3 11864]
S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2010-7-16 11976]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2010-3-24 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2010-3-24 151683]
S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2010-7-11 11952]
S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2010-7-14 11944]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2010-6-30 11968]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2010-6-30 11968]
S3 nipsdk;nipsdk;c:\windows\system32\drivers\nipsdkl.sys [2010-5-6 11392]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2010-6-14 21144]
S3 niraptrk;niraptrk;c:\windows\system32\drivers\niraptrkl.sys [2010-7-22 11912]
S3 niRFSA2k;niRFSA2k;c:\windows\system32\drivers\niRFSA2kl.sys [2010-6-21 11328]
S3 niRFSGk;niRFSGk;c:\windows\system32\drivers\niRFSGkl.sys [2009-12-9 11328]
S3 NiRioRpc;National Instruments RIO Server;c:\windows\system32\NiRioRpc.exe [2010-7-31 32392]
S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2010-7-12 11960]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2010-7-24 11936]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2010-7-14 11928]
S3 nisldk;nisldk;c:\windows\system32\drivers\nisldkl.sys [2009-6-18 11344]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2010-7-12 11960]
S3 nisrcdk;nisrcdk;c:\windows\system32\drivers\nisrcdkl.sys [2010-6-4 11424]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2010-7-19 11920]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2009-1-5 11312]
S3 nistc3rk;nistc3rk;c:\windows\system32\drivers\nistc3rkl.sys [2010-7-12 11912]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2009-8-31 11360]
S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2010-7-13 11912]
S3 niSynck;niSynck;c:\windows\system32\drivers\niSynckl.sys [2010-8-26 11408]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2010-7-12 11944]
S3 nitnr2k;nitnr2k;c:\windows\system32\drivers\nitnr2kl.sys [2009-12-9 11328]
S3 nitsuk;nitsuk;c:\windows\system32\drivers\nitsukl.sys [2010-8-26 11424]
S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [2010-7-22 11944]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2010-6-23 11432]
S3 niwdk;niwdk;c:\windows\system32\drivers\niwdk.sys [2009-8-14 28256]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2010-7-19 11920]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2010-7-22 11920]
S3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2009-1-19 141376]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2011-1-13 131888]
S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]
.
=============== Created Last 30 ================
.
2011-04-12 12:58:26 95672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-12 12:49:22 -------- d-----w- c:\windows\system32\Shared Memory
2011-04-12 11:34:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-12 11:34:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-08 15:48:49 -------- d-sh--w- c:\documents and settings\alex\IECompatCache
2011-03-19 10:57:17 -------- d-----w- c:\docume~1\alex\applic~1\DDMSettings
2011-03-17 12:24:31 -------- d-----w- c:\docume~1\alex\applic~1\Dropbox
.
==================== Find3M ====================
.
2011-02-12 15:55:24 315392 ----a-w- c:\windows\HideWin.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-06 13:12:20 102400 ----a-w- c:\windows\RegBootClean.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_ rev.0085 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89E56439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89e5c7d0]; MOV EAX, [0x89e5c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A81B840]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000a2[0x8A7B4F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A81C030]
\Driver\iaStor[0x8A7F88F0] -> IRP_MJ_CREATE -> 0x89E56439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHZ2160BH_G2____________________00850009#4&6047958&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 10:23:23.10 ===============

Edit
Hello Lex33,

Is this a business, corporate, institutional computer or used in that environment?
------------------------------------
------------------------------------
It is a personal laptop, I do research in engineering, I use my computer a lot for work.

I am thinking of just throwing the latest backup image of the system on there. no real new software since, just updates of all usual stuff.

Or is this salvageable in a clean/simple way?

Thanks,

--lex

Thanks, OK, so someone else might be able to help? Or would you recommend just throwing the backup image on?

--lex

I guess I should also mention that I do work with a university. Which would be institution.

I do not believe that applies to me, thank you though.
Is there anyone else who can help?
update:
I put an older image (6 months old) of my system on my drive and this problem did not go away, HOW is that possible? The problems first showed up today, so the old image should not have any of this. Could the virus install itself on my data partition and reinstall on the system on startup? Please help.
Dakeyras
2011-04-15, 21:54
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.
Hi and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader 9 <- We will update this in due course.
DAEMON Tools Lite
Java(TM) 6 Update 22 <- We will update this in due course.
Java(TM) 6 Update 7
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
SearchAssist

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Scan with aswMBR:

Please download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Double-click the aswMBR.exe ] to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the "Scan" button to start scan


http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Note: There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).

When completed the above, please post back the following in the order asked for:

How is your computer performing now, any further symptoms and or problems encountered?
aswMBR Log.
Dakeyras
2011-04-18, 23:00
Due to the lack of feedback this Topic is closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of DDS logs and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.