PDA

View Full Version : Rootkit.ZeroAccess windows pop up (TCP/IP)



sabinoing
2012-04-17, 17:55
Hello again.

Following instructions here I post the files required for a problem with AVG Identity Protection. First of all I must indicate that I have used Combofix and got a message that says "the rootkit has inserted into the TCP/IP stack". Also used TDSSKiller, Yorkyt, RootKit Remover... and it seems that the other windows of Generic27 have disappeared, but now there is always a warning window from AVG IdP that if it is closed, another one takes its place, but refering to a different dll of System32.

Thanks a lot in advance for your help and I am at your disposal to whatever you require.

Best regards.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Rafa at 16:41:14 on 2012-04-17
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.3062.2503 [GMT 2:00]
.
.
============== Running Processes ===============
.
C:\ARCHIV~1\AVG\AVG2012\avgrsx.exe
C:\Archivos de programa\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Archivos de programa\AVG\AVG2012\avgwdsvc.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\AVG\AVG2012\avgnsx.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Archivos de programa\DellTPad\Apoint.exe
C:\Archivos de programa\Dell\QuickSet\quickset.exe
C:\Archivos de programa\AVG\AVG2012\avgtray.exe
C:\Archivos de programa\DellTPad\ApMsgFwd.exe
C:\Archivos de programa\D-Link\DIR-457 USB Modem\DIR-457 Monitor.exe
C:\Archivos de programa\Archivos comunes\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Archivos de programa\DellTPad\HidFind.exe
C:\Archivos de programa\DellTPad\Apntex.exe
C:\archivos de programa\real\realplayer\update\realsched.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Adobe\Reader 10.0\Reader\Reader_sl.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.es/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = "c:\archivos de programa\outlook express\msimn.exe"
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\datos de programa\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\archivos de programa\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\archivos de programa\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\archivos de programa\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\archivos de programa\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\archivos de programa\google\google toolbar\GoogleToolbar_32.dll
uRun: [ISUSPM] "c:\archivos de programa\archivos comunes\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\archivos de programa\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\archivos de programa\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\archivos de programa\delltpad\Apoint.exe
mRun: [Dell QuickSet] c:\archivos de programa\dell\quickset\quickset.exe
mRun: [AVG_TRAY] "c:\archivos de programa\avg\avg2012\avgtray.exe"
mRun: [DIR-457 Monitor] c:\archivos de programa\d-link\dir-457 usb modem\DIR-457 Monitor.exe start
mRun: [RIMBBLaunchAgent.exe] c:\archivos de programa\archivos comunes\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\archivos de programa\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\archivos de programa\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\archivos de programa\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} - hxxps://www2.agenciatributaria.gob.es/ES13/h/CACTIVEX.CAB
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{BC06D450-6A67-4DBB-92D8-10009B450A44} : DhcpNameServer = 192.168.0.241 212.142.144.66 212.142.144.98
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\archivos de programa\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\archivos de programa\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\archivos de programa\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;WatchDog de AVG;c:\archivos de programa\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2010-1-13 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2010-1-13 43608]
S0 cerc6;cerc6; [x]
S2 AGV;HIDSwvd;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 antivirscheduler;Prohlp02;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 antivirservice;Mwsarcpkt;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 avfilter;Mwssched;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 avg7alrt;Epsonbidirectionalservice;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 avgcoresvc;Utscsi;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 avgems;Vmauthdservice;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 avgfwsrv;Vulfntrs;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 avgntflt;CTDevice_Srv;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 avhook;Raidmagt;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 aw_host;EU3_USB;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 awlegacy;TOSHIBASoftModem;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 BRGSp50;Slapd-data52;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ca-messagequeuing;AsIO;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 caisafe;ProcObsrv;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ccproxy;STEC3;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ccsetmgr;Ehsched;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 clientservice;Rismxdp;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 cmdagent;Stylexphelper;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 CTMMOUNT;Ikhfile;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 CTMSHD;Datasvr;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 DirectUpdate;ASNDIS5;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 DivisCTS;Winachcf;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ghostsec;AffinegyService;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 gupdate;Servicio Google Update (gupdate);c:\archivos de programa\google\update\GoogleUpdate.exe [2010-1-13 135664]
S2 GV600_4;Susbser;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ikfileflt;Aeclienthostservice;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ikfilesec;Bh611;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 iksysflt;Rt2500;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 iksyssec;Kl1;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 kavsvc;WavxDMgr;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 LMIRfsDriver;NITaggerService;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 LRMINIPORT;AlteraByteBlaster;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 mcdetect.exe;TryAndDecideService;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 mcproxy;Udfreadr_xp;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 mctskshd.exe;Brmfrmps;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 mcusrmgr;Gameenum;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 mferkdk;Tosrfec;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 mksupdateint;Mcnasvc;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 mksvirmonsvc;Mpfirewl;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 navapel;Stltrk2k;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 navapsvc;Retrolauncher;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 naveng;{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 navex15;Si3132r5;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ndasbus;Machnm32;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ndasscsi;Sglfb;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 nod32krn;Wacomkey;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ofcservice;StkAMini;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 pavagente;Gv3;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 pavprsrv;GTPTSER;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 pctavsvc;P17xfilt;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 pctfw1;TPM;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 pctoolsfirewallplus;Akshhl;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 RalinkRegistryWriter;Ati;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 regdefend;Rdpdd;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 S3GIGP;ICM10USB;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 savrt;Lpx;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 savrtpel;Nimcdlbk;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 savscan;AtiPcie;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 sbservice;Belgium_id_card_service;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 sdcoreservice;Cmigameport;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 vet-rec;AppnApi;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 veteboot;Mqdmbus;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 webrootcommagentservice;Cdrbsdrv;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 webrootenterpriseclientservice;SiS300i;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 webrootenterpriseupdateservice;CA561;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 webrootspysweeperservice;Hpzid412;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 ZDCNDIS5;Tsdhd;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-4-1 112640]
S3 gupdatem;Servicio de Google Update (gupdatem);c:\archivos de programa\google\update\GoogleUpdate.exe [2010-1-13 135664]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-4-2 102656]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\rafa\config~1\temp\mfe_rr.sys --> c:\docume~1\rafa\config~1\temp\mfe_rr.sys [?]
S3 PAC207;VideoCAM GF112;c:\windows\system32\drivers\pfc027.sys [2005-4-8 162176]
S3 qdb3gmdm;D-Link USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qdb3gmdm.sys [2011-6-30 106240]
.
=============== Created Last 30 ================
.
2012-04-16 08:38:10 -------- d-----w- c:\windows\system32\DBBK
2012-04-16 08:29:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-03 06:21:18 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-27 08:09:45 -------- d-----w- c:\documents and settings\rafa\.pdfsam
2012-03-27 07:45:47 -------- d-----w- c:\archivos de programa\pdfsam
.
==================== Find3M ====================
.
2012-04-16 08:31:17 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-03 06:21:18 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 10:59:03 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 10:59:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 10:59:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:09:53 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:09:53 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:53 385024 ----a-w- c:\windows\system32\html.iec
2012-02-07 09:02:40 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:57:03 1860224 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 16:42:07,09 ===============

Scolabar
2012-04-28, 12:46
Hi sabinoing,

Firstly, welcome to the Safer-Networking Malware Removal Forum. :)
My name is Scolabar, and I'll be helping you with your malware problems.
Logs can take a while to research, so please be patient.
If you no longer require help I would be grateful if you would let me know.

Please note the following important guidelines before proceeding:
The instructions that will be provided are for YOUR computer and system only!
Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
Absence of symptoms does not necessarily mean that everything is clear.
DO NOT run any other fix or removal tools unless instructed to do so!
DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!
Please Note: If you haven't done so already, please read this topic "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.


Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.

Backup Your Data - Windows XP (http://support.microsoft.com/kb/308422)
If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thank you for your patience.

In the meantime please provide the feedback below:

Please read these instructions carefully before executing and perform the steps, in the order given.
lf you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Business Use Computer?

Entries in your HijackThis log lead me to believe that this computer may be being used for business purposes.
Please could you confirm if this is the case? If the computer is not used for business purposes please proceed with Step 2.

Step 2:
Logs Required for Review

I notice you have already run a significant number of tools including ComboFix and TDSSKiller which should never be run other than under instruction from a malware expert. ;)


ComboFix Log

Please post the entire contents of the combofix.txt log file (- it is normally to be found in the C:\qoobox\ directory) into your next reply.

TDSSKiller Log

Please post the entire contents of the most recent TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt log file. The file is normally saved to the root directory - usually C: drive.

Step 3:
Include in Next Post

Did you have any problems carrying out the instructions?
Is this computer used for business purposes? If not, please clarify for what purposes the computer is used.
ComboFix.txt.
TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt.
Do you have the original Windows installation media for your PC?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Scolabar
2012-04-30, 13:32
Hi sabinoing,

It has been over 48 hours since my last post.

Do you still need help?
Do you need more time?
Are you having problems following my instructions?
In line with Safer-Networking's Forum Guidelines, topics will be closed after 3 days without a response.
If you do not reply within the next 24 hours, this topic will be closed.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Jack&Jill
2012-05-02, 16:34
Due to lack of response, this topic is now closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. How to post a DDS log. (http://forums.spybot.info/showpost.php?p=1150&postcount=2)

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm) to me or a MOD. A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.