Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: DDS.txt shows "possible TDL3 rootkit infection" after checking for Click.Giftload

  1. #1
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default DDS.txt shows "possible TDL3 rootkit infection" after checking for Click.Giftload

    PROBLEM
    DDS.txt shows "possible TDL3 rootkit infection" after investigating Click.Giftload threat

    RECENT HISTORY
    Recently installed Mozilla Firefox to see how version 4 compared against IE6
    Unfortunately did not get the AVG verdict icons working so was not fully protected when browsing
    Suspect this may be the cause of the infection

    Last Spybot scan NOT showing Click.Giftload
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
    Checks.110326-1411.log
    26.03.2011 14:11:50 - ##### check started #####
    26.03.2011 14:11:50 - ### Version: 1.6.2
    26.03.2011 14:11:50 - ### Date: 26/03/2011 14:11:50
    26.03.2011 14:11:52 - ##### checking bots #####
    26.03.2011 14:25:57 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
    26.03.2011 14:25:59 - ##### check finished #####

    First spybot scan showing Click.GiftLoad
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\
    Checks.110327-0428.log
    27.03.2011 04:28:13 - ##### check started #####
    27.03.2011 04:28:13 - ### Version: 1.6.2
    27.03.2011 04:28:13 - ### Date: 27/03/2011 04:28:13
    27.03.2011 04:28:15 - ##### checking bots #####
    27.03.2011 04:28:57 - found: Click.GiftLoad User settings
    27.03.2011 04:41:04 - found: Right Media Tracking cookie (Internet Explorer: Robert Cowey)
    27.03.2011 04:41:04 - ##### check finished #####

    Right Media Tracking cookie appears on the PC every now and again
    I have not noticed it causing any problems and Spybot is able to remove it
    Spybot was also able to remove Click.Giftload

    However noticed strange IE6 activity this morning ...
    Clicking on google search results often directs back to google search
    Clicking on google search results sometimes directs to an unexpected web page
    Browser occassionally launches a new session onto an unwanted web page (links can be supplied if required)
    Firefox does not launch at all

    Re-booted PC and ran Spybot scan and found Click.Giftload present again
    Used Spybot to remove (and also purge) this threat

    Re-ran scan later and no threats detected

    Searched for Click.Giftload on your forum (and elsewhere online)
    Used Zone Alarm to Stop All Internet Activity between changing web pages (though none actually observed)
    Downloaded ERUNT and backed up registry
    Ran DDS and found the root kit warning at the bottom the log

    Unwanted browser activity continued
    Ran Spybot scan and again no threats detected
    This suggests that Click.Giftload itself may not be problem - just one of the problems related activities ?

    Re-started PC - took several minutes longer to shut down than normal
    Re-ran Spybot scan and Click.Giftload again detected
    This suggests Click.Giftload is being installed during shut down or IPL - I assume by the root kit ?

    Re-started PC again
    Ran DDS and created DDS.txt and Attach.txt prior to removing Click.Giftload again

    Start of DDS.txt (with name commented to Xxxxxx Xxxxx) --------------------------

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Xxxxxx Xxxxx at 16:51:17.60 on 27/03/2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2393 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
    FW: ZoneAlarm Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Documents and Settings\Xxxxxx Xxxxx\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = file:///C:/HTML/index.htm
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
    mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\n7khba69.default\
    FF - prefs.js: browser.startup.homepage - c:\\html\\index.htm
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-3-16 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-3-16 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-3-16 243024]
    R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-7-27 127768]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-7-27 394952]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-3-16 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-3-16 308136]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2010-7-25 2034560]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-6-25 1390976]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2010-6-24 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-03-26 00:08:14 -------- d-----w- c:\program files\DependencyWalker
    2011-03-24 23:53:37 -------- d-----w- c:\docume~1\robert~1\applic~1\GetRightToGo
    2011-03-20 23:09:02 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-03-20 23:09:02 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-03-20 23:09:02 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
    2011-03-20 23:09:02 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
    2011-03-20 23:09:02 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-03-20 23:09:02 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-03-20 23:09:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-03-20 20:54:57 98304 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll
    2011-03-20 20:54:57 89048 ----a-w- c:\program files\mozilla firefox\nssutil3.dll
    2011-03-20 20:54:57 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2011-03-20 20:54:57 715736 ----a-w- c:\program files\mozilla firefox\mozcrt19.dll
    2011-03-20 20:54:57 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2011-03-20 20:54:57 14121944 ----a-w- c:\program files\mozilla firefox\xul.dll
    2011-03-20 20:54:57 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
    2011-03-20 08:34:43 -------- d--h--w- C:\$AVG
    2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-03-20 00:48:01 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-03-19 22:39:24 -------- d-----w- c:\program files\System Tracker
    2011-03-19 22:06:54 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1.dll
    2011-03-19 22:03:33 -------- d-----w- C:\T3
    2011-03-19 21:38:20 65593 ----a-w- c:\program files\outlook express\csapi3t1.dll
    2011-03-19 21:37:02 65593 ----a-w- c:\program files\common files\microsoft shared\proof\csapi3t1_net.dll
    2011-03-19 21:34:56 -------- d-----w- C:\T2
    2011-03-19 19:55:42 6317328 ----a-w- c:\program files\common files\microsoft shared\proof\1036\MSGR3FR.DLL
    2011-03-19 19:55:42 1100560 ----a-w- c:\program files\common files\microsoft shared\proof\3082\MSGR3ES.DLL
    2011-03-19 19:55:41 854152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3ES.DLL
    2011-03-19 19:55:41 633664 ----a-w- c:\program files\common files\microsoft shared\proof\MSTH3FR.DLL
    2011-03-19 19:55:41 49152 ----a-w- c:\program files\common files\microsoft shared\proof\MSTHES3.DLL
    2011-03-19 19:55:41 3152704 ----a-w- c:\program files\common files\microsoft shared\proof\1033\MSGR3EN.DLL
    2011-03-19 19:55:40 61512 ----a-w- c:\program files\common files\microsoft shared\proof\MSHYPH2.DLL
    2011-03-19 19:55:40 576320 ----a-w- c:\program files\common files\microsoft shared\proof\MSLID.DLL
    2011-03-19 19:55:40 551232 ----a-w- c:\program files\common files\microsoft shared\proof\MSSP3FR.DLL
    2011-03-19 19:55:39 919696 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3ES.DLL
    2011-03-19 19:55:39 408336 ----a-w- c:\program files\common files\microsoft shared\proof\MSHY3FR.DLL
    2011-03-19 11:49:28 -------- d-----w- C:\T1
    2011-03-16 20:13:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2011-03-16 20:13:41 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-03-16 20:13:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2011-03-16 20:13:33 -------- d-----w- c:\windows\system32\drivers\Avg
    2011-03-16 19:46:03 -------- d-----w- c:\docume~1\robert~1\applic~1\AVG10
    2011-03-16 18:15:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2011-03-16 17:48:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2011-03-16 17:19:20 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2011-03-15 00:00:24 -------- d-----w- c:\docume~1\robert~1\applic~1\TaskCoach
    2011-03-15 00:00:15 -------- d-----w- c:\program files\TaskCoach
    2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\locals~1\applic~1\Apprise
    2011-03-06 15:37:11 -------- d-----w- c:\docume~1\robert~1\applic~1\Apprise
    2011-03-06 15:36:52 -------- d-----w- c:\program files\Toggl Desktop
    .
    ==================== Find3M ====================
    .
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD5000AAKS-00UU3A0 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T1L0-10
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4AE439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4b47d0]; MOV EAX, [0x8a4b484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A4D9AB8]
    3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000062[0x8A4E59E8]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A4E3940]
    \Driver\atapi[0x8A5542B8] -> IRP_MJ_CREATE -> 0x8A4AE439
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP3T1L0-10 -> \??\IDE#DiskWDC_WD5000AAKS-00UU3A0__________________01.03B01#5&511fad&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A4AE27F
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 16:52:12.62 ===============

    End of DDS.txt ------------------------------------------------------------------


    The PC has not been used for ebay or internet banking for a couple of weeks and since the problem has only been around for a day there has been no opportunuity for any account information or passwords to have been captured during use.
    However please can you advise whether there is any action I can take to remove the threat.
    My objective is to get the PC as clean as possible - even if it requires a full drive reformat and windows re-install.
    Having backed up all data last weekend I am in a good position to do this though would prefer not to if there is a better way.

    THANKS in anticipation.

  2. #2
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi cyfyr,

    Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
    • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


    Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

    When should I re-format? How should I reinstall?
    Where to draw the line? When to recommend a format and reinstall?

    Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


    Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


    Step 1 | Please download GMER from one of the following locations and save it to your desktop:

    Main Mirror - This version will download a randomly named file (Recommended)
    Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

    --------------------------------------------------------------------

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


    Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.



    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Make sure all options are checked except:
      • IAT/EAT
      • Drives/Partition other than Systemdrive, which is typically C:\
      • Show All (This is important, so do not miss it.)



    Click the image to enlarge it

    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.

    -- If you encounter any problems, try running GMER in Safe Mode.


    Step 2 | This next program is needed to remove the remaining malware entries I see. However, AVG incorrectly targets ComboFix's embedded files. ComboFix will not run with AVG installed. Please uninstall AVG before continuing. You can reinstall it, or another antivirus such as Avira or avast!, after we've used ComboFix to clear the infection.

    After uninstalling AVG from the Control Panel, also run the AVG remover tool from their site (download AVG Remover 32bit).

    http://www.avg.com/us-en/download-tools

    You may also use this AppRemover to uninstall AVG:
    http://www.appremover.com

    AppRemover tutorial:
    http://www.appremover.com/about/using-appremover.html


    After uninstalling AVG, please download Combofix from any of the links below and save it to your desktop.

    Link 1
    Link 2

    --------------------------------------------------------------------

    • Double click on Combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  3. #3
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    Hi Blottedisk,

    Many thanks for replying to my post and coming to may assistance - your help and advice is very much appreciated.

    The malware is definitely re-installing Click.Giftload at shutdown and/or startup and these are taking a lot longer than usual.
    This must be driven by something lurking on the PC itself as the internet is physically disconnected at the time.

    AVG has occassionally blocked something nasty from being accessed whilst I was connected to internet but not actually doing anything.
    (see attached AVGwarning.gif)

    All things considered I plan to reformat the drive and re-install Windows etc as this is the only way to be 100% safe.
    This is likely to be done/completed this weekend afterwhich I will re-run the DDS scan and post the results.

    In the meantime the PC will remain physically disconnected from the internet most of the time and restarts avoided.

    Thanks once again for you help.

  4. #4
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi cyfyr,

    You are welcome

    Reformatting and disconnecting this machine from the Internet are the wisest choices you can make.

    I will keep this topic open so you can post your new DDS log next week. In case you need some help regarding the format/install process, I will be here also.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  5. #5
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    The Windows re-install has now been more or less completed.
    An early Spybot scan found DoubleClick and Smitfraud-C.
    Not sure where these came from as I had not managed to reconnect to the internet at that time !
    Thankfully they were successfully removed and have not reappeared.

    DDS has been ran and the output posted / attached (with my name 'X'ed out).
    The text does not contain any "warn", "root", "robot", "trojan", "malware" so I believe the PC is clean.

    -------- DDS.TXT -------- Start --------

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Xxxxxx Xxxxx at 19:56:23.89 on 04-04-2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2408 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
    FW: ZoneAlarm Security Suite Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\system\HsMgr.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Downloads\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = file:///C:/HTML/Index.htm
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
    mRun: [DSLSTATEXE] c:\program files\voyager 105 adsl modem\dslstat.exe icon
    mRun: [DSLAGENTEXE] c:\program files\voyager 105 adsl modem\dslagent.exe
    mRun: [Cmaudio8788GX] c:\windows\system\HsMgr.exe Envoke
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    StartupFolder: c:\docume~1\xxxxxx~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301854820531
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-4-2 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-4-2 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-4-2 243024]
    R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2011-4-2 127768]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-4-2 394952]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2011-4-2 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-4-2 308136]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 cmudaxp;ASUS Xonar DS Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2011-4-1 2034560]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-4-1 1390976]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-04-03 21:39:44 -------- d-----w- c:\windows\system32\winrm
    2011-04-03 21:39:40 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
    2011-04-03 20:08:17 293376 ------w- c:\windows\system32\browserchoice.exe
    2011-04-03 19:44:44 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-04-03 19:02:06 -------- d-----w- c:\docume~1\xxxxxx~1\locals~1\applic~1\ApplicationHistory
    2011-04-03 18:54:23 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2011-04-03 18:54:23 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2011-04-03 18:54:22 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2011-04-03 18:54:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-04-03 18:52:12 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2011-04-03 18:52:12 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2011-04-03 18:44:54 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\Windows Desktop Search
    2011-04-03 18:44:30 -------- d-----w- c:\windows\system32\GroupPolicy
    2011-04-03 18:44:30 -------- d-----w- c:\program files\Windows Desktop Search
    2011-04-03 18:43:39 -------- d-----w- c:\program files\Windows Media Connect 2
    2011-04-03 18:42:24 -------- d-----w- c:\windows\system32\LogFiles
    2011-04-03 18:41:20 -------- d-----w- c:\windows\system32\URTTEMP
    2011-04-03 18:23:03 -------- d-----w- c:\windows\system32\PreInstall
    2011-04-03 18:23:02 26144 ----a-w- c:\windows\system32\spupdsvc.exe
    2011-04-03 18:23:01 -------- d--h--w- c:\windows\$hf_mig$
    2011-04-03 18:20:58 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
    2011-04-03 18:20:58 -------- d-----w- c:\windows\system32\SoftwareDistribution
    2011-04-03 18:20:57 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2011-04-03 18:20:57 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2011-04-03 18:20:57 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2011-04-03 10:08:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-04-03 10:08:10 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-02 22:22:13 -------- d-----w- c:\program files\SonicWallES
    2011-04-02 22:21:41 -------- d-----w- c:\docume~1\xxxxxx~1\locals~1\applic~1\Identities
    2011-04-02 18:51:55 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2011-04-02 17:50:38 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\MailFrontier
    2011-04-02 17:43:17 1734688 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2011-04-02 17:39:12 75248 ----a-w- c:\windows\zllsputility.exe
    2011-04-02 17:38:18 1086952 ----a-w- c:\windows\system32\zpeng24.dll
    2011-04-02 17:38:15 -------- d-----w- c:\windows\system32\ZoneLabs
    2011-04-02 17:38:15 -------- d-----w- c:\program files\Zone Labs
    2011-04-02 16:00:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-04-02 16:00:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-04-02 15:15:42 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-04-02 15:15:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2011-04-02 15:15:38 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2011-04-02 15:15:37 -------- d-----w- c:\windows\system32\drivers\Avg
    2011-04-02 15:15:33 -------- d-----w- c:\program files\AVG
    2011-04-02 15:15:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\avg9
    2011-04-02 14:25:20 -------- d-s---w- c:\documents and settings\xxxxxx xxxxx\UserData
    2011-04-02 11:59:28 11264 ----a-w- c:\windows\system32\SpOrder.dll
    2011-04-02 11:58:51 -------- d-----w- c:\windows\Internet Logs
    2011-04-01 22:47:32 221184 ----a-w- c:\windows\system32\wmpns.dll
    2011-04-01 20:57:01 -------- d-----w- c:\windows\pss
    2011-04-01 19:52:17 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\Desktop
    2011-04-01 19:13:10 -------- d-----w- c:\docume~1\xxxxxx~1\applic~1\OpenOffice.org
    2011-04-01 19:12:21 -------- d-----w- C:\DJGPP
    2011-04-01 19:12:17 -------- d-----w- C:\HTML
    2011-04-01 19:12:02 -------- d-----w- C:\LiveData
    2011-04-01 19:10:29 -------- d-----w- C:\Backups
    2011-04-01 18:46:19 -------- d-----w- C:\temp
    2011-04-01 18:46:18 160951 ------w- c:\windows\system32\drivers\gtipdsp_.bin
    2011-04-01 18:46:17 24576 ----a-w- c:\windows\system32\CoInst.dll
    2011-04-01 18:46:17 160963 ----a-w- c:\windows\system32\drivers\gtipdsp.bin
    2011-04-01 18:46:17 148338 ----a-w- c:\windows\system32\drivers\gwausb.sys
    2011-04-01 18:46:15 12288 ------w- c:\windows\system32\CplEng.dll
    2011-04-01 18:46:14 -------- d-----w- c:\program files\Voyager 105 ADSL Modem
    2011-04-01 18:40:10 247808 ----a-w- c:\windows\system32\newdev_5_1_2600_5512.dll
    2011-04-01 18:40:10 1388816 ----a-w- c:\windows\system32\shell32_Win98.DLL
    2011-04-01 18:40:10 113936 ----a-w- c:\windows\system32\newdev_5_0_2146_1.dll
    2011-04-01 18:23:48 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-04-01 18:23:48 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2011-04-01 18:22:40 163840 ----a-w- c:\windows\BJPSUNST.EXE
    2011-04-01 18:21:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-04-01 18:21:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-04-01 18:21:56 1060864 ----a-w- c:\windows\system32\MFC71.dll
    2011-04-01 18:21:54 306688 ----a-w- c:\windows\IsUninst.exe
    2011-04-01 18:21:17 -------- d-----w- c:\windows\StartHtmico
    2011-04-01 18:20:59 8704 ----a-w- c:\windows\system32\CNMVS7A.DLL
    2011-04-01 18:20:59 59392 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP7A.DLL
    2011-04-01 18:20:59 20992 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD7A.DLL
    2011-04-01 18:20:59 140288 ----a-w- c:\windows\system32\CNMLM7A.DLL
    2011-04-01 18:20:58 90112 ----a-r- c:\windows\system32\CNMCP7A.exe
    2011-04-01 18:20:03 263978 ----a-w- c:\windows\system32\CNMNPPM.DLL
    2011-04-01 18:20:03 117322 ----a-w- c:\windows\system32\CNMNPUI.DLL
    2011-04-01 18:20:03 -------- d-----w- c:\program files\Canon
    2011-04-01 18:04:30 -------- d-----w- c:\docume~1\xxxxxx~1\locals~1\applic~1\ATI
    2011-04-01 18:04:11 0 ----a-w- c:\windows\ativpsrm.bin
    2011-04-01 18:01:50 -------- d-----w- c:\program files\common files\ATI Technologies
    2011-04-01 18:00:04 593920 ------w- c:\windows\system32\ati2sgag.exe
    2011-04-01 17:59:51 -------- d-----w- c:\program files\ATI Technologies
    2011-04-01 17:59:13 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
    2011-04-01 17:59:13 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
    2011-04-01 17:59:13 221184 ------w- c:\program files\common files\installshield\iscript\IScript.dll
    2011-04-01 17:59:13 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
    2011-04-01 17:59:13 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
    2011-04-01 17:58:56 -------- d-----w- C:\AMD
    2011-04-01 17:53:32 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
    2011-04-01 17:53:32 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
    2011-04-01 17:53:32 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
    2011-04-01 17:53:31 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
    2011-04-01 17:53:31 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
    2011-04-01 17:53:31 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
    2011-04-01 17:53:31 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
    2011-04-01 17:53:31 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
    2011-04-01 17:49:27 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
    2011-04-01 17:49:27 142336 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
    2011-04-01 17:49:18 -------- d-----w- c:\program files\Realtek
    2011-04-01 17:42:42 331184 ------w- c:\windows\system32\difxapi.dll
    2011-04-01 17:42:41 -------- d-----w- c:\program files\VIA
    2011-04-01 17:39:54 -------- d-----w- c:\windows\system32\ReinstallBackups
    2011-04-01 17:39:53 53248 ----a-r- c:\windows\system32\CSVer.dll
    2011-04-01 17:39:43 -------- d-----w- C:\Intel
    2011-04-01 17:38:21 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys
    2011-04-01 17:38:17 10296 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS
    2011-04-01 17:26:42 -------- d-----w- c:\program files\JRE
    2011-04-01 17:26:40 -------- d-----w- c:\program files\OpenOffice.org 3
    2011-04-01 17:26:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-04-01 17:26:33 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2011-04-01 17:23:48 -------- d-----w- c:\program files\MSECache
    2011-04-01 17:20:08 -------- d-----w- C:\Downloads
    2011-04-01 17:18:45 -------- d-----w- C:\Downloads_Old
    2011-04-01 15:00:24 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
    .
    ==================== Find3M ====================
    .
    2011-04-01 17:54:18 413696 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-04-01 17:54:18 102400 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    .
    ============= FINISH: 19:57:33.48 ===============
    --------

    DDS.TXT -------- Finish --------

    Thanks once again for your help - it is greatly appreciated.

  6. #6
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi cyfyr,


    Your log is looking good. However it shows that you are operating your computer with multiple Anti Virus programs running in memory at once:

    • AVG
    • ZoneAlarm


    Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having more than one program running at the same time can cause your computer to run very slow, become unstable, conflicts, errors, false positives, etc...


    Please go to Start --> Run and type appwiz.cpl and press enter. Uninstall either AVG or ZoneAlarm.


    When finished, please go to the following site to scan a file: Virus Total

    • Click on Browse, and upload the following files for analysis:

      c:\windows\system32\newdev_5_1_2600_5512.dll
      c:\windows\system32\shell32_Win98.DLL
      c:\windows\system32\newdev_5_0_2146_1.dll
      c:\windows\BJPSUNST.EXE
    • Then click Submit. Allow the files to be scanned, and then please copy and paste the results here for me to see.
    • If it says already scanned -- click "reanalyze now"
    • Please post the results in your next reply.
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  7. #7
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    Many thanks for reviewing the log - I'm pleased its looking good !

    The anti-virus part of Zone Alarm is actually switched off at present (and is flagged as disabled in DDS.TXT).
    However once everything is back to normal I will in any case be seeking to replace it completely with whatever freeware is currently best (though I do like the way ZA works).
    May also review AVG as well.
    For now AVG (and Spybot) scans will be done manually so I am hopeful this will avoid resource / confilct issues.

    I think I can explain three of the DLL issues.
    The WinXP build installed newdev.dll version 5.1.2600.5512.
    Unfortunately this prevents the install of the Voyager 105 USB modem driver.
    The workround from the internet is to use Safe Mode to temporarily install an older version that does allow the install and having first overcome this problem last year I still had a copy of earlier version 5.0.2146.1.
    A backup copy of each file has been left in place beside with the live newdev.dll in case needed in future ...
    newdev_5_1_2600_5512.dll
    newdev_5_0_2146_1.dll

    Having retired my Win98 machine only last year I still prefer Windows Classic view.
    Unfortunately I have not been able to find some of the Windows Classic icons on WinXP yet.
    I therefore transferred the shell32.dll containing the icons from the Win98 machine (but renamed it to avoid problems with the WinXP shell32.dll).
    shell32_Win98.DLL

    BJPSUNST.EXE has been uploaded to the VirusTotal website and examined as follows ...


    -------- Virus Total output -------- Start --------


    File name: BJPSUNST.EXE
    Submission date: 2011-04-05 21:30:33 (UTC)
    Current status: queued (#2) queued (#2) analysing finished

    Result: 0/ 42 (0.0%)
    VT Community

    not reviewed
    Safety score: -

    Compact Print results
    Antivirus Version Last Update Result
    AhnLab-V3 2011.04.06.01 2011.04.05 -
    AntiVir 7.11.5.201 2011.04.05 -
    Antiy-AVL 2.0.3.7 2011.04.05 -
    Avast 4.8.1351.0 2011.04.05 -
    Avast5 5.0.677.0 2011.04.05 -
    AVG 10.0.0.1190 2011.04.05 -
    BitDefender 7.2 2011.04.05 -
    CAT-QuickHeal 11.00 2011.04.05 -
    ClamAV 0.97.0.0 2011.04.05 -
    Commtouch 5.2.11.5 2011.03.24 -
    Comodo 8233 2011.04.05 -
    DrWeb 5.0.2.03300 2011.04.05 -
    Emsisoft 5.1.0.5 2011.04.05 -
    eSafe 7.0.17.0 2011.04.05 -
    eTrust-Vet 36.1.8255 2011.04.05 -
    F-Prot 4.6.2.117 2011.04.05 -
    F-Secure 9.0.16440.0 2011.04.05 -
    Fortinet 4.2.254.0 2011.04.05 -
    GData 22 2011.04.05 -
    Ikarus T3.1.1.103.0 2011.04.05 -
    Jiangmin 13.0.900 2011.03.31 -
    K7AntiVirus 9.96.4303 2011.04.05 -
    Kaspersky 7.0.0.125 2011.04.05 -
    McAfee 5.400.0.1158 2011.04.05 -
    McAfee-GW-Edition 2010.1C 2011.04.05 -
    Microsoft 1.6702 2011.04.05 -
    NOD32 6017 2011.04.05 -
    Norman 6.07.07 2011.04.05 -
    Panda 10.0.3.5 2011.04.05 -
    PCTools 7.0.3.5 2011.04.04 -
    Prevx 3.0 2011.04.05 -
    Rising 23.51.05.05 2011.04.02 -
    Sophos 4.64.0 2011.04.05 -
    SUPERAntiSpyware 4.40.0.1006 2011.04.05 -
    Symantec 20101.3.2.89 2011.04.05 -
    TheHacker 6.7.0.1.167 2011.04.05 -
    TrendMicro 9.200.0.1012 2011.04.05 -
    TrendMicro-HouseCall 9.200.0.1012 2011.04.05 -
    VBA32 3.12.14.3 2011.04.05 -
    VIPRE 8930 2011.04.05 -
    ViRobot 2011.4.5.4394 2011.04.05 -
    VirusBuster 13.6.288.0 2011.04.05 -

    Additional informationShow all

    MD5 : b4957d508be8b9f68a76fdc2d89a3844
    SHA1 : 4745f2725c3509eaa3b431d078720dea877309de
    SHA256: 4809834eed7907d24ee64a046bbf07a91f3735026676d2ca75aff9388b652e9d
    ssdeep: 3072:huAX+61fJkOHOH2btymPnXkAWq87NfIiHglKygFE7hu:huJ0f0WbtxPM1IiTygF

    File size : 163840 bytes
    First seen: 2009-07-01 15:55:39
    Last seen : 2011-04-05 21:30:33
    TrID:
    Win64 Executable Generic (54.6%)
    Win32 Executable MS Visual C++ (generic) (24.0%)
    Windows Screen Saver (8.3%)
    Win32 Executable Generic (5.4%)
    Win32 Dynamic Link Library (generic) (4.8%)
    sigcheck:
    publisher....: CANON INC.
    copyright....: Copyright CANON INC. 2003 All Rights Reserved
    product......: BJPSUNST.EXE
    description..: BJPSUNST
    original name: BJPSUNST.EXE
    internal name: BJPSUNST
    file version.: 1, 0, 0, 0
    comments.....: BJPSUNST
    signers......: -
    signing date.: -
    verified.....: Unsigned

    PEiD: Armadillo v1.71
    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x356B
    timedatestamp....: 0x4004353C (Tue Jan 13 18:13:16 2004)
    machinetype......: 0x14c (I386)

    [[ 4 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x1000, 0x1430E, 0x15000, 6.47, 79fe2b51d047930d3bc0b451496b7b76
    .rdata, 0x16000, 0x4A3C, 0x5000, 4.62, 5749e3fb015af16cdb41e889887cb09e
    .data, 0x1B000, 0x6F1C, 0x4000, 1.82, b350b45b0436ecf9a34212ea5881dff5
    .rsrc, 0x22000, 0x8900, 0x9000, 4.54, f4ef2db2576614102bbd0668d470c882

    [[ 8 import(s) ]]
    KERNEL32.dll: GetCurrentDirectoryA, GetModuleHandleA, GlobalFindAtomA, GlobalAddAtomA, GlobalGetAtomNameA, GetVersion, GetProcessVersion, SetErrorMode, FileTimeToSystemTime, FileTimeToLocalFileTime, TlsGetValue, GlobalFlags, LocalReAlloc, GetStartupInfoA, GetCommandLineA, ExitProcess, TerminateProcess, HeapFree, HeapAlloc, RaiseException, HeapReAlloc, HeapSize, GetACP, GetTimeZoneInformation, GetCPInfo, TlsSetValue, RtlUnwind, FreeEnvironmentStringsW, GetOEMCP, LeaveCriticalSection, SystemTimeToFileTime, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetUnhandledExceptionFilter, GetDriveTypeA, IsBadReadPtr, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetPrivateProfileStringA, LoadLibraryA, DeleteFileA, GetLastError, RemoveDirectoryA, FreeLibrary, GetVersionExA, GetModuleFileNameA, MoveFileExA, GetWindowsDirectoryA, lstrcatA, EnterCriticalSection, GlobalReAlloc, GlobalUnlock, TlsFree, GlobalHandle, TlsAlloc, GlobalFree, DeleteCriticalSection, FindNextFileA, InitializeCriticalSection, LocalAlloc, lstrcpyA, GetFullPathNameA, GetVolumeInformationA, SetEndOfFile, GetProcAddress, FlushFileBuffers, UnlockFile, LockFile, ReadFile, SetFilePointer, WriteFile, SetLastError, GetCurrentProcess, DuplicateHandle, SetFileTime, SetFileAttributesA, CreateFileA, GetEnvironmentStrings, LocalFileTimeToFileTime, FindFirstFileA, WritePrivateProfileStringA, FindClose, lstrcpynA, GetFileTime, GetFileSize, GetFileAttributesA, LocalFree, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, CloseHandle, GlobalLock, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, SetHandleCount, UnhandledExceptionFilter, FreeEnvironmentStringsA
    USER32.dll: RegisterWindowMessageA, SetForegroundWindow, GetForegroundWindow, GetMessagePos, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, SetPropA, GetClassLongA, CreateWindowExA, DestroyWindow, DefWindowProcA, GetMenuItemID, GetSubMenu, GetMenu, RegisterClassA, GetClassInfoA, WinHelpA, GetTopWindow, CopyRect, GetClientRect, AdjustWindowRectEx, GetSysColor, MapWindowPoints, LoadIconA, GetSysColorBrush, DestroyMenu, SetWindowLongA, GetWindowPlacement, SystemParametersInfoA, ShowWindow, SetFocus, GetDlgItem, GrayStringA, DrawTextA, TabbedTextOutA, ReleaseDC, GetDC, GetMenuItemCount, GetWindowTextA, SetWindowTextA, GetWindow, GetDlgCtrlID, GetWindowRect, PtInRect, GetClassNameA, LoadCursorA, GetCapture, GetSystemMetrics, CharUpperA, wsprintfA, UnhookWindowsHookEx, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageA, GetCursorPos, SetWindowsHookExA, GetParent, GetLastActivePopup, IsWindowEnabled, GetWindowLongA, IsIconic, SetWindowPos, MessageBoxA, EnableWindow, SetCursor, SendMessageA, PostQuitMessage, PostMessageA, GetDesktopWindow, LoadStringA, ClientToScreen, UnregisterClassA
    GDI32.dll: SaveDC, SelectObject, GetStockObject, SetBkColor, SetTextColor, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, DeleteObject, DeleteDC, GetDeviceCaps, RectVisible, TextOutA, PtVisible, Escape, ExtTextOutA, GetObjectA, RestoreDC, CreateBitmap
    comdlg32.dll: GetFileTitleA
    WINSPOOL.DRV: DocumentPropertiesA, ClosePrinter, OpenPrinterA
    ADVAPI32.dll: RegCloseKey, RegQueryValueExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegOpenKeyExA, RegSetValueExA
    SHELL32.dll: SHGetSpecialFolderLocation, SHGetMalloc, SHGetPathFromIDListA, SHGetSpecialFolderPathA
    COMCTL32.dll: -

    ExifTool:
    file metadata
    CharacterSet: Unicode
    CodeSize: 86016
    Comments: BJPSUNST
    CompanyName: CANON INC.
    EntryPoint: 0x356b
    FileDescription: BJPSUNST
    FileFlagsMask: 0x003f
    FileOS: Win32
    FileSize: 160 kB
    FileSubtype: 0
    FileType: Win32 EXE
    FileVersion: 1, 0, 0, 0
    FileVersionNumber: 1.0.0.0
    ImageVersion: 0.0
    InitializedDataSize: 86016
    InternalName: BJPSUNST
    LanguageCode: Japanese
    LegalCopyright: Copyright CANON INC. 2003 All Rights Reserved
    LinkerVersion: 6.0
    MIMEType: application/octet-stream
    MachineType: Intel 386 or later, and compatibles
    OSVersion: 4.0
    ObjectFileType: Executable application
    OriginalFilename: BJPSUNST.EXE
    PEType: PE32
    ProductName: BJPSUNST.EXE
    ProductVersion: 1, 0, 0, 0
    ProductVersionNumber: 1.0.0.0
    Subsystem: Windows GUI
    SubsystemVersion: 4.0
    TimeStamp: 2004:01:13 19:13:16+01:00
    UninitializedDataSize: 0



    -------- Virus Total output -------- Finish --------


    I suspect this is something to do with my Canon printer.
    The date time stamp on the file itself would be about right for that as Canon drivers were installed just before the Voyager 105 USB modem.

    Hopefully this means everything is now okay ?

  8. #8
    Emeritus- Malware Team
    Join Date
    May 2009
    Location
    Buenos Aires, Argentina
    Posts
    340

    Default

    Hi cyfyr,


    Thanks for the clarification


    Then its everything fine. Let's run two last scans just to be more certain that there's nothing in there:


    Step 1 | Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.


    Step 2 | Let's perform an ESET Online Scan

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    • Please go here then click on:
      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
    • Select the option YES, I accept the Terms of Use then click on:
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on:
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic.
    • Now click on: (Selecting Uninstall application on close if you so wish)
    -- WTT Classroom Graduate --
    -- ASAP Member --
    -- UNITE Trained Eliminator --

  9. #9
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    Hi Blottedisk,

    Followed the instructions for step 1 as follows ...

    Downloaded the file from CNET
    Internet Explorer showed the yellow warning bar ...
    To help protect your security, Internet Explorer blocked this site from downloading files to your computer
    I am never really sure when to bypass this warning.
    I assume if it happens in response to something I have initiated then it should be reasonably safe.

    Allowed the download, installed, allowed the database update, ran the quick scan ...

    ---------- First M-AM quick scan ---------- Start

    Scan type: Quick scan
    Objects scanned: 140792
    Time elapsed: 3 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.


    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ---------- First M-AM quick scan ---------- Finish

    From the name of the infected registry data item I guessed this was because I have switched off automatic windows update and also the notification about this

    Switched this back on using ...
    - Start > Control Panel > Security Center >
    - - Resources (blue text on left panel)
    - - - Change the way Security Centre alerts me

    Re-ran the quick M-AM scan and this time no problems found (I think) ...

    ---------- Second M-AM quick scan ---------- Start

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6290

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    06-04-2011 22:56:56
    mbam-log-2011-04-06 (22-56-56).txt

    Scan type: Quick scan
    Objects scanned: 140737
    Time elapsed: 1 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ---------- Second M-AM quick scan ---------- Finish

    Ran full M-AM scan - also allowing it to scan the external USB drive(s) used to hold my data backup(s).
    AVG Resident Shield notified me of a tracking cookie (...@revisc[1].txt) during this - ran a Spybot scan afterwards but nothing malicious found.

    ---------- M-AM full scan ---------- Start

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6290

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    06-04-2011 23:23:17
    mbam-log-2011-04-06 (23-23-17).txt

    Scan type: Full scan (C:\|E:\|F:\|)
    Objects scanned: 185748
    Time elapsed: 23 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ---------- M-AM full scan ---------- Finish

    The ESET online scanner will be used tomorrow evening (Thr).
    The PC will remain disconnected from the internet until then.
    Many thanks again for your help.

  10. #10
    Junior Member
    Join Date
    Mar 2011
    Posts
    9

    Default

    Finally found time to action the instructions for step 2.
    The log is as follows ...

    ---------- ESET scan ---------- Start

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=2e3f53989a2aff4a9bc6f2376ed4f4f4
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-04-07 09:17:22
    # local_time=2011-04-07 10:17:22 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777191 100 0 451481 451481 0 0
    # compatibility_mode=8192 67108863 100 0 300 300 0 0
    # compatibility_mode=9217 16777193 100 67 442760 86619318 0 0
    # scanned=30574
    # found=0
    # cleaned=0
    # scan_time=2228


    ---------- ESET scan ---------- Finish

    There were no warnings displayed either during or after the scan.

    ESET did not uninstall afterwards and does not appear within the Control Panel "Add or Remove Programs" list.
    I dont really want to leave it in place if not compatible with AVG so I assume I run its own uninstaller ?
    C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe

    Hopefully this now means the PC is in a clean state of health ?

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •