Results 1 to 10 of 17

Thread: DDS.txt shows "possible TDL3 rootkit infection" after checking for Click.Giftload

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default DDS.txt shows "possible TDL3 rootkit infection" after checking for Click.Giftload

    PROBLEM
    DDS.txt shows "possible TDL3 rootkit infection" after investigating Click.Giftload threat

    RECENT HISTORY
    Recently installed Mozilla Firefox to see how version 4 compared against IE6
    Unfortunately did not get the AVG verdict icons working so was not fully protected when browsing
    Suspect this may be the cause of the infection

    Last Spybot scan NOT showing Click.Giftload
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
    Checks.110326-1411.log
    26.03.2011 14:11:50 - ##### check started #####
    26.03.2011 14:11:50 - ### Version: 1.6.2
    26.03.2011 14:11:50 - ### Date: 26/03/2011 14:11:50
    26.03.2011 14:11:52 - ##### checking bots #####
    26.03.2011 14:25:57 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
    26.03.2011 14:25:59 - ##### check finished #####

    First spybot scan showing Click.GiftLoad
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
    Checks.110327-0428.log
    27.03.2011 04:28:13 - ##### check started #####
    27.03.2011 04:28:13 - ### Version: 1.6.2
    27.03.2011 04:28:13 - ### Date: 27/03/2011 04:28:13
    27.03.2011 04:28:15 - ##### checking bots #####
    27.03.2011 04:28:57 - found: Click.GiftLoad User settings
    27.03.2011 04:41:04 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
    27.03.2011 04:41:04 - ##### check finished #####

    Right Media Tracking cookie appears on the PC every now and again
    I have not noticed it causing any problems and Spybot is able to remove it
    Spybot was also able to remove Click.Giftload

    However noticed strange IE6 activity this morning ...
    Clicking on google search results often directs back to google search
    Clicking on google search results sometimes directs to an unexpected web page
    Browser occassionally launches a new session onto an unwanted web page (links can be supplied if required)
    Firefox does not launch at all

    Re-booted PC and ran Spybot scan and found Click.Giftload present again
    Used Spybot to remove (and also purge) this threat

    Re-ran scan later and no threats detected

    Searched for Click.Giftload on your forum (and elsewhere online)
    Used Zone Alarm to Stop All Internet Activity between changing web pages (though none actually observed)
    Downloaded ERUNT and backed up registry
    Ran DDS and found the root kit warning at the bottom the log

    Unwanted browser activity continued
    Ran Spybot scan and again no threats detected
    This suggests that Click.Giftload itself may not be problem - just one of the problems related activities ?

    Re-started PC - took several minutes longer to shut down than normal
    Re-ran Spybot scan and Click.Giftload again detected
    This suggests Click.Giftload is being installed during shut down or IPL - I assume by the root kit ?

    Re-started PC again
    Ran DDS and created DDS.txt and Attach.txt prior to removing Click.Giftload again

    Start of DDS.txt (with name commented to Xxxxxx Xxxxx) --------------------------

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Xxxxxx Xxxxx at 16:51:17.60 on 27/03/2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2393 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
    FW: ZoneAlarm Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Documents and Settings\Xxxxxx Xxxxx\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = file:///C:/HTML/index.htm
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
    mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\n7khba69.default\
    FF - prefs.js: browser.startup.homepage - c:\\html\\index.htm
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-3-16 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-3-16 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-3-16 243024]
    R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-7-27 127768]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-7-27 394952]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-3-16 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-3-16 308136]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2010-7-25 2034560]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-6-25 1390976]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2010-6-24 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-03-26 00:08:14 -------- d-----w- c:\program files\DependencyWalker
    2011-03-24 23:53:37 -------- d-----w- c:\docume~1\robert~1\applic~1\GetRightToGo
    2011-03-20 23:09:02 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-03-20 23:09:02 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-03-20 23:09:02 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
    2011-03-20 23:09:02 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
    2011-03-20 23:09:02 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-03-20 23:09:02 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-03-20 20:54:57 98304 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll
    2011-03-20 20:54:57 89048 ----a-w- c:\program files\mozilla firefox\nssutil3.dll
    2011-03-20 20:54:57 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2011-03-20 20:54:57 715736 ----a-w- c:\program files\mozilla firefox\mozcrt19.dll
    2011-03-20 20:54:57 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2011-03-20 20:54:57 14121944 ----a-w- c:\program files\mozilla firefox\xul.dll
    2011-03-20 20:54:57 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
    2011-03-20 08:34:43 -------- d--h--w- C:\$AVG
    2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-03-19 22:39:24 -------- d-----w- c:\program files\System Tracker
    2011-03-19 22:06:54 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1.dll
    2011-03-19 22:03:33 -------- d-----w- C:\T3
    2011-03-19 21:38:20 65593 ----a-w- c:\program files\outlook express\csapi3t1.dll
    2011-03-19 21:37:02 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1_net.dll
    2011-03-19 21:34:56 -------- d-----w- C:\T2
    2011-03-19 19:55:42 6317328 ----a-w- c:\program files\common files\microsoft shared\proof\1036\MSGR3FR.DLL
    2011-03-19 19:55:42 1100560 ----a-w- c:\program files\common files\microsoft shared\proof\3082\MSGR3ES.DLL
    2011-03-19 19:55:41 854152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3ES.DLL
    2011-03-19 19:55:41 633664 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3FR.DLL
    2011-03-19 19:55:41 49152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTHES3.DLL
    2011-03-19 19:55:41 3152704 ----a-w- c:\program files\common files\microsoft shared\proof\1033\MSGR3EN.DLL
    2011-03-19 19:55:40 61512 ----a-w- c:\program files\common files\microsoft shared\proof\MSHYPH2.DLL
    2011-03-19 19:55:40 576320 ----a-w- c:\program files\common files\microsoft shared\proof\MSLID.DLL
    2011-03-19 19:55:40 551232 ----a-w- c:\program files\common files\microsoft shared\proof\MSSP3FR.DLL
    2011-03-19 19:55:39 919696 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3ES.DLL
    2011-03-19 19:55:39 408336 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3FR.DLL
    2011-03-19 11:49:28 -------- d-----w- C:\T1
    2011-03-16 20:13:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2011-03-16 20:13:41 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-03-16 20:13:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2011-03-16 20:13:33 -------- d-----w- c:\windows\system32\drivers\Avg
    2011-03-16 19:46:03 -------- d-----w- c:\docume~1\robert~1\applic~1\AVG10
    2011-03-16 18:15:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2011-03-16 17:48:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2011-03-16 17:19:20 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2011-03-15 00:00:24 -------- d-----w- c:\docume~1\robert~1\applic~1\TaskCoach
    2011-03-15 00:00:15 -------- d-----w- c:\program files\TaskCoach
    2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\locals~1\applic~1\Apprise
    2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\applic~1\Apprise
    2011-03-06 15:36:52 -------- d-----w- c:\program files\Toggl Desktop
    .
    ==================== Find3M ====================
    .
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD5000AAKS-00UU3A0 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T1L0-10
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4AE439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4b47d0]; MOV EAX, [0x8a4b484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A4D9AB8]
    3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000062[0x8A4E59E8]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A4E3940]
    \Driver\atapi[0x8A5542B8] -> IRP_MJ_CREATE -> 0x8A4AE439
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP3T1L0-10 -> \??\IDE#DiskWDC_WD5000AAKS-00UU3A0__________________01.03B01#5&511fad&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A4AE27F
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 16:52:12.62 ===============

    End of DDS.txt ------------------------------------------------------------------


    The PC has not been used for ebay or internet banking for a couple of weeks and since the problem has only been around for a day there has been no opportunuity for any account information or passwords to have been captured during use.
    However please can you advise whether there is any action I can take to remove the threat.
    My objective is to get the PC as clean as possible - even if it requires a full drive reformat and windows re-install.
    Having backed up all data last weekend I am in a good position to do this though would prefer not to if there is a better way.

    THANKS in anticipation.

  2. #2
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi cyfyr,

    Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
    • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


    Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

    When should I re-format? How should I reinstall?
    Where to draw the line? When to recommend a format and reinstall?

    Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


    Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


    Step 1 | Please download GMER from one of the following locations and save it to your desktop:

    Main Mirror - This version will download a randomly named file (Recommended)
    Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

    --------------------------------------------------------------------

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


    Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.



    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Make sure all options are checked except:
      • IAT/EAT
      • Drives/Partition other than Systemdrive, which is typically C:\
      • Show All (This is important, so do not miss it.)



    Click the image to enlarge it

    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.

    -- If you encounter any problems, try running GMER in Safe Mode.


    Step 2 | This next program is needed to remove the remaining malware entries I see. However, AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the infection.

    After uninstalling AVG from the Control Panel, also run the AVG remover tool from their site (download AVG Remover 32bit).

    http://www.avg.com/us-en/download-tools

    You may also use this AppRemover to uninstall AVG:
    http://www.appremover.com

    AppRemover tutorial:
    http://www.appremover.com/about/using-appremover.html


    After uninstalling AVG, please download Combofix from any of the links below and save it to your desktop.

    Link 1
    Link 2

    --------------------------------------------------------------------

    • Double click on Combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  3. #3
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    Hi Blottedisk,

    Many thanks for replying to my post and coming to may assistance - your help and advice is very much appreciated.

    The malware is definitely re-installing Click.Giftload at shutdown and/or startup and these are taking a lot longer than usual.
    This must be driven by something lurking on the PC itself as the internet is physically disconnected at the time.

    AVG has occassionally blocked something nasty from being accessed whilst I was connected to internet but not actually doing anything.
    (see attached AVGwarning.gif)

    All things considered I plan to reformat the drive and re-install Windows etc as this is the only way to be 100% safe.
    This is likely to be done/completed this weekend afterwhich I will re-run the DDS scan and post the results.

    In the meantime the PC will remain physically disconnected from the internet most of the time and restarts avoided.

    Thanks once again for you help.

  4. #4
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi cyfyr,

    You are welcome

    Reformatting and disconnecting this machine from the Internet are the wisest choices you can make.

    I will keep this topic open so you can post your new DDS log next week. In case you need some help regarding the format/install process, I will be here also.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  5. #5
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    The Windows re-install has now been more or less completed.
    An early Spybot scan found DoubleClick and Smitfraud-C.
    Not sure where these came from as I had not managed to reconnect to the internet at that time !
    Thankfully they were successfully removed and have not reappeared.

    DDS has been ran and the output posted / attached (with my name 'X'ed out).
    The text does not contain any "warn", "root", "robot", "trojan", "malware" so I believe the PC is clean.

    -------- DDS.TXT -------- Start --------

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Xxxxxx Xxxxx at 19:56:23.89 on 04-04-2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2408 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
    FW: ZoneAlarm Security Suite Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\system\HsMgr.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Downloads\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = file:///C:/HTML/Index.htm
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
    mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
    mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
    mRun: [Cmaudio8788GX] c:\windows\system\HsMgr.exe Envoke
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    StartupFolder: c:\docume~1\xxxxxx~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301854820531
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-4-2 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-4-2 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-4-2 243024]
    R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2011-4-2 127768]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-4-2 394952]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-4-2 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-4-2 308136]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2011-4-1 2034560]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-4-1 1390976]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-04-03 21:39:44 -------- d-----w- c:\windows\system32\winrm
    2011-04-03 21:39:40 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
    2011-04-03 20:08:17 293376 ------w- c:\windows\system32\browserchoice.exe
    2011-04-03 19:44:44 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-04-03 19:02:06 -------- d-----w- c:\docume~1\xxxxxx~1\locals~1\applic~1\ApplicationHistory
    2011-04-03 18:54:23 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2011-04-03 18:54:23 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2011-04-03 18:54:22 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2011-04-03 18:54:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-04-03 18:52:12 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2011-04-03 18:52:12 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2011-04-03 18:44:54 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\Windows Desktop Search
    2011-04-03 18:44:30 -------- d-----w- c:\windows\system32\GroupPolicy
    2011-04-03 18:44:30 -------- d-----w- c:\program files\Windows Desktop Search
    2011-04-03 18:43:39 -------- d-----w- c:\program files\Windows Media Connect 2
    2011-04-03 18:42:24 -------- d-----w- c:\windows\system32\LogFiles
    2011-04-03 18:41:20 -------- d-----w- c:\windows\system32\URTTEMP
    2011-04-03 18:23:03 -------- d-----w- c:\windows\system32\PreInstall
    2011-04-03 18:23:02 26144 ----a-w- c:\windows\system32\spupdsvc.exe
    2011-04-03 18:23:01 -------- d--h--w- c:\windows\$hf_mig$
    2011-04-03 18:20:58 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
    2011-04-03 18:20:58 -------- d-----w- c:\windows\system32\SoftwareDistribution
    2011-04-03 18:20:57 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2011-04-03 18:20:57 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2011-04-03 18:20:57 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2011-04-03 10:08:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-04-03 10:08:10 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-02 22:22:13 -------- d-----w- c:\program files\SonicWallES
    2011-04-02 22:21:41 -------- d-----w- c:\docume~1\xxxxxx~1\locals~1\applic~1\Identities
    2011-04-02 18:51:55 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2011-04-02 17:50:38 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\MailFrontier
    2011-04-02 17:43:17 1734688 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2011-04-02 17:39:12 75248 ----a-w- c:\windows\zllsputility.exe
    2011-04-02 17:38:18 1086952 ----a-w- c:\windows\system32\zpeng24.dll
    2011-04-02 17:38:15 -------- d-----w- c:\windows\system32\ZoneLabs
    2011-04-02 17:38:15 -------- d-----w- c:\program files\Zone Labs
    2011-04-02 16:00:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-04-02 16:00:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-04-02 15:15:42 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-04-02 15:15:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2011-04-02 15:15:38 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2011-04-02 15:15:37 -------- d-----w- c:\windows\system32\drivers\Avg
    2011-04-02 15:15:33 -------- d-----w- c:\program files\AVG
    2011-04-02 15:15:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\avg9
    2011-04-02 14:25:20 -------- d-s---w- c:\documents and settings\xxxxxx xxxxx\UserData
    2011-04-02 11:59:28 11264 ----a-w- c:\windows\system32\SpOrder.dll
    2011-04-02 11:58:51 -------- d-----w- c:\windows\Internet Logs
    2011-04-01 22:47:32 221184 ----a-w- c:\windows\system32\wmpns.dll
    2011-04-01 20:57:01 -------- d-----w- c:\windows\pss
    2011-04-01 19:52:17 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\Desktop
    2011-04-01 19:13:10 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\OpenOffice.org
    2011-04-01 19:12:21 -------- d-----w- C:\DJGPP
    2011-04-01 19:12:17 -------- d-----w- C:\HTML
    2011-04-01 19:12:02 -------- d-----w- C:\LiveData
    2011-04-01 19:10:29 -------- d-----w- C:\Backups
    2011-04-01 18:46:19 -------- d-----w- C:\temp
    2011-04-01 18:46:18 160951 ------w- c:\windows\system32\drivers\gtipdsp_.bin
    2011-04-01 18:46:17 24576 ----a-w- c:\windows\system32\CoInst.dll
    2011-04-01 18:46:17 160963 ----a-w- c:\windows\system32\drivers\gtipdsp.bin
    2011-04-01 18:46:17 148338 ----a-w- c:\windows\system32\drivers\gwausb.sys
    2011-04-01 18:46:15 12288 ------w- c:\windows\system32\CplEng.dll
    2011-04-01 18:46:14 -------- d-----w- c:\program files\Voyager 105 ADSL Modem
    2011-04-01 18:40:10 247808 ----a-w- c:\windows\system32\newdev_5_1_2600_5512.dll
    2011-04-01 18:40:10 1388816 ----a-w- c:\windows\system32\shell32_Win98.DLL
    2011-04-01 18:40:10 113936 ----a-w- c:\windows\system32\newdev_5_0_2146_1.dll
    2011-04-01 18:23:48 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-04-01 18:23:48 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2011-04-01 18:22:40 163840 ----a-w- c:\windows\BJPSUNST.EXE
    2011-04-01 18:21:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-04-01 18:21:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-04-01 18:21:56 1060864 ----a-w- c:\windows\system32\MFC71.dll
    2011-04-01 18:21:54 306688 ----a-w- c:\windows\IsUninst.exe
    2011-04-01 18:21:17 -------- d-----w- c:\windows\StartHtmico
    2011-04-01 18:20:59 8704 ----a-w- c:\windows\system32\CNMVS7A.DLL
    2011-04-01 18:20:59 59392 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP7A.DLL
    2011-04-01 18:20:59 20992 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD7A.DLL
    2011-04-01 18:20:59 140288 ----a-w- c:\windows\system32\CNMLM7A.DLL
    2011-04-01 18:20:58 90112 ----a-r- c:\windows\system32\CNMCP7A.exe
    2011-04-01 18:20:03 263978 ----a-w- c:\windows\system32\CNMNPPM.DLL
    2011-04-01 18:20:03 117322 ----a-w- c:\windows\system32\CNMNPUI.DLL
    2011-04-01 18:20:03 -------- d-----w- c:\program files\Canon
    2011-04-01 18:04:30 -------- d-----w- c:\docume~1\xxxxxx~1\locals~1\applic~1\ATI
    2011-04-01 18:04:11 0 ----a-w- c:\windows\ativpsrm.bin
    2011-04-01 18:01:50 -------- d-----w- c:\program files\common files\ATI Technologies
    2011-04-01 18:00:04 593920 ------w- c:\windows\system32\ati2sgag.exe
    2011-04-01 17:59:51 -------- d-----w- c:\program files\ATI Technologies
    2011-04-01 17:59:13 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
    2011-04-01 17:59:13 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
    2011-04-01 17:59:13 221184 ------w- c:\program files\common files\installshield\iscript\IScript.dll
    2011-04-01 17:59:13 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
    2011-04-01 17:59:13 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
    2011-04-01 17:58:56 -------- d-----w- C:\AMD
    2011-04-01 17:53:32 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
    2011-04-01 17:53:32 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
    2011-04-01 17:53:32 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
    2011-04-01 17:53:31 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
    2011-04-01 17:53:31 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
    2011-04-01 17:53:31 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
    2011-04-01 17:53:31 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
    2011-04-01 17:53:31 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
    2011-04-01 17:49:27 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
    2011-04-01 17:49:27 142336 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
    2011-04-01 17:49:18 -------- d-----w- c:\program files\Realtek
    2011-04-01 17:42:42 331184 ------w- c:\windows\system32\difxapi.dll
    2011-04-01 17:42:41 -------- d-----w- c:\program files\VIA
    2011-04-01 17:39:54 -------- d-----w- c:\windows\system32\ReinstallBackups
    2011-04-01 17:39:53 53248 ----a-r- c:\windows\system32\CSVer.dll
    2011-04-01 17:39:43 -------- d-----w- C:\Intel
    2011-04-01 17:38:21 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys
    2011-04-01 17:38:17 10296 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS
    2011-04-01 17:26:42 -------- d-----w- c:\program files\JRE
    2011-04-01 17:26:40 -------- d-----w- c:\program files\OpenOffice.org 3
    2011-04-01 17:26:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-04-01 17:26:33 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2011-04-01 17:23:48 -------- d-----w- c:\program files\MSECache
    2011-04-01 17:20:08 -------- d-----w- C:\Downloads
    2011-04-01 17:18:45 -------- d-----w- C:\Downloads_Old
    2011-04-01 15:00:24 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    .
    ==================== Find3M ====================
    .
    2011-04-01 17:54:18 413696 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-04-01 17:54:18 102400 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    .
    ============= FINISH: 19:57:33.48 ===============
    --------

    DDS.TXT -------- Finish --------

    Thanks once again for your help - it is greatly appreciated.

  6. #6
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi cyfyr,


    Your log is looking good. However it shows that you are operating your computer with multiple Anti Virus programs running in memory at once:

    • AVG
    • ZoneAlarm


    Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having more than one program running at the same time can cause your computer to run very slow, become unstable, conflicts, errors, false positives, etc...


    Please go to Start --> Run and type appwiz.cpl and press enter. Uninstall either AVG or ZoneAlarm.


    When finished, please go to the following site to scan a file: Virus Total

    • Click on Browse, and upload the following files for analysis:

      c:\windows\system32\newdev_5_1_2600_5512.dll
      c:\windows\system32\shell32_Win98.DLL
      c:\windows\system32\newdev_5_0_2146_1.dll
      c:\windows\BJPSUNST.EXE
    • Then click Submit. Allow the files to be scanned, and then please copy and paste the results here for me to see.
    • If it says already scanned -- click "reanalyze now"
    • Please post the results in your next reply.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •