Another click.giftload problem - :(

**nicks_scotland** · 2011-03-31, 12:11

Hi,

3 things started happening:

1) my browers kept redirecting websites
2) my avast kept "blocking malicious urls"
3) Just-in-time debugging pop up, asking me to choose a debugger

I think I have done all the pre-post things, and have pasted logs below/attached zip and turned tea/timer off.

Your help would be very much appreciated.

*****************
Dss.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 10:13:28.26 on 31/03/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_09
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015.1364 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\qaddress\Rapid32.315\qarapidn.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.baztex.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page =
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /M "Stylus Photo RX420" /EF "HKCU"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
mRun: [MBoxUtil Clean] c:\program files\konica minolta\box utility\BoxUtil.exe /clean
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rapid.lnk - c:\qaddress\rapid32.315\qarapidn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\msoffice\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\mahjong escape - ancient japan\images\stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://almcam2.lofer.at:1003//activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\mahjong escape - ancient japan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-9-24 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-8-27 294608]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-27 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-18 40384]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2005-5-13 40576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-9-24 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]
.
=============== Created Last 30 ================
.
2011-03-31 08:49:58 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-29 15:32:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 15:32:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-23 11:00:25 -------- d-----w- c:\program files\common files\L&H
2011-03-23 10:59:50 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 09:51:09 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51:08 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:18:28 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Microsoft Help
2011-03-21 14:01:36 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01:23 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01:22 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01:22 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01:21 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01:21 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01:03 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:43:00 -------- d-----w- c:\program files\common files\DivX Shared
2011-03-21 13:38:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-03-21 13:33:42 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33:25 -------- d-----w- c:\program files\XP Codec Pack
2011-03-01 15:10:42 -------- d-----w- c:\program files\iTunes
2011-03-01 15:10:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-03-01 15:03:39 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-02-28 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_4R120L0 rev.RAMB1TU0 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89B84439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89b8a7d0]; MOV EAX, [0x89b8a84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x89B6BAB8]
3 CLASSPNP[0xF763805B] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000058[0x89BD5F18]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x89B70D98]
\Driver\atapi[0x89B46A68] -> IRP_MJ_CREATE -> 0x89B84439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskMaxtor_4R120L0__________________________RAMB1TU0#3352323134584548202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89B8427F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:17:37.44 ===============

*******************************************
Searchbot log

Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-03-29 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-03-29 Includes\Malware.sbi (*)
2011-03-29 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-25 Includes\TrojansC-02.sbi (*)
2011-03-29 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-29 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
***********************

**Blade81** · 2011-04-02, 12:57

Hi,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Download aswMBR to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply.

**nicks_scotland** · 2011-04-02, 13:05

Thanks for replying!

Tea timer off.

Log below:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 12:03:35
-----------------------------
12:03:35.843 OS Version: Windows 5.1.2600 Service Pack 2
12:03:35.843 Number of processors: 1 586 0xA00
12:03:35.843 ComputerName: OFFICE2 UserName: user
12:03:37.093 Initialize success
12:03:45.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort2
12:03:45.093 Disk 0 Vendor: Maxtor_4R120L0 RAMB1TU0 Size: 117246MB BusType: 3
12:03:45.093 Device \Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskMaxtor_4R120L0__________________________RAMB1TU0#3352323134584548202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
12:03:45.093 Device \Driver\atapi -> DriverStartIo 89b8427f
12:03:47.093 Disk 0 MBR read successfully
12:03:47.109 Disk 0 MBR scan
12:03:47.109 Disk 0 TDL4@MBR code has been found
12:03:47.109 Disk 0 MBR hidden
12:03:47.109 Disk 0 MBR [TDL4] **ROOTKIT**
12:03:47.109 Disk 0 trace - called modules:
12:03:47.109 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89b84439]<<
12:03:47.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b6bab8]
12:03:47.125 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\00000058[0x89bd5f18]
12:03:47.125 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89b70d98]
12:03:47.484 \Driver\atapi[0x89b46a68] -> IRP_MJ_CREATE -> 0x89b84439
12:03:47.484 Scan finished successfully

**Blade81** · 2011-04-02, 13:20

Hi again

Re-Run aswMBR Click Scan On completion of the scan Click the Fix for TDL4. Save the log as before and post in your next reply.

**nicks_scotland** · 2011-04-02, 15:00

New log below.

Should I reboot like it asks?

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 13:58:51
-----------------------------
13:58:51.906 OS Version: Windows 5.1.2600 Service Pack 2
13:58:51.906 Number of processors: 1 586 0xA00
13:58:51.906 ComputerName: OFFICE2 UserName: user
13:58:52.359 Initialize success
13:58:53.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort2
13:58:53.281 Disk 0 Vendor: Maxtor_4R120L0 RAMB1TU0 Size: 117246MB BusType: 3
13:58:53.281 Device \Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskMaxtor_4R120L0__________________________RAMB1TU0#3352323134584548202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
13:58:53.296 Device \Driver\atapi -> DriverStartIo 89b8427f
13:58:55.296 Disk 0 MBR read successfully
13:58:55.296 Disk 0 MBR scan
13:58:55.296 Disk 0 TDL4@MBR code has been found
13:58:55.296 Disk 0 MBR hidden
13:58:55.296 Disk 0 MBR [TDL4] **ROOTKIT**
13:58:55.312 Disk 0 trace - called modules:
13:58:55.312 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89b84439]<<
13:58:55.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b6bab8]
13:58:55.312 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\00000058[0x89bd5f18]
13:58:55.312 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89b70d98]
13:58:55.656 \Driver\atapi[0x89b46a68] -> IRP_MJ_CREATE -> 0x89b84439
13:58:55.671 Scan finished successfully
13:59:08.781 Disk 0 fixing MBR
13:59:18.843 Disk 0 MBR restored successfully
13:59:19.000 Infection fixed successfully - please reboot ASAP

**Blade81** · 2011-04-02, 15:04

Please do.

**nicks_scotland** · 2011-04-02, 15:18

Ok, rebooted. So far so good. No "dings" from avast saying it's stopping malicious urls and no debugging popups.

What now??

**Blade81** · 2011-04-02, 15:30

Good. Now we'll do some more cleaning

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**nicks_scotland** · 2011-04-02, 16:54

Combo fix log:

ComboFix 11-04-01.01 - user 02/04/2011 15:36:15.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015.1565 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\jestertb.dll
c:\windows\sedmgac.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))
.
.
2011-04-01 11:49 . 2011-04-02 08:29 -------- d-----w- c:\windows\$XNTUninstall643$
2011-03-31 16:26 . 2011-03-31 16:26 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-03-31 09:15 . 2011-03-31 09:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-31 09:09 . 2011-03-31 09:09 -------- d-----w- c:\program files\ERUNT
2011-03-31 08:49 . 2006-10-12 03:10 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-31 08:21 . 2011-03-31 08:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Microsoft Help
2011-03-29 15:32 . 2011-03-29 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-29 15:32 . 2011-03-29 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-23 11:00 . 2011-03-23 11:00 -------- d-----w- c:\program files\Common Files\L&H
2011-03-23 10:59 . 2011-03-23 10:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 10:57 . 2011-03-23 10:57 -------- d-----w- c:\program files\Microsoft.NET
2011-03-23 10:55 . 2011-03-23 10:55 -------- d-----r- C:\MSOCache
2011-03-23 09:51 . 2006-10-26 19:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51 . 2006-10-26 19:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:45 . 2011-03-26 09:37 -------- d-----w- c:\program files\Microsoft Works
2011-03-23 09:18 . 2011-03-23 09:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Microsoft Help
2011-03-23 09:18 . 2011-03-31 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-03-21 14:01 . 2010-03-15 10:31 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01 . 2008-09-24 19:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01 . 2010-11-03 19:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01 . 2010-01-17 16:18 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01 . 2010-12-07 18:40 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01 . 2010-12-07 18:22 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01 . 2011-03-21 14:02 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:45 . 2011-03-21 13:46 -------- d-----w- c:\documents and settings\user\Application Data\DivX
2011-03-21 13:43 . 2011-03-21 13:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2011-03-21 13:38 . 2011-03-21 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-03-21 13:33 . 2008-07-09 09:05 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33 . 2011-03-21 13:33 -------- d-----w- c:\program files\XP Codec Pack
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-28 08:00 . 2008-12-17 17:22 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-13 08:47 . 2010-07-02 08:20 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2008-08-27 14:12 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2008-08-27 14:12 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2008-08-27 14:12 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2008-08-27 14:12 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2008-08-27 14:12 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2008-08-27 14:12 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2008-08-27 14:12 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2008-08-27 14:12 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2004-09-02 49152]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"MBoxUtil Clean"="c:\program files\KONICA MINOLTA\BOX Utility\BoxUtil.exe" [2004-03-22 614400]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Rapid.LNK - c:\qaddress\Rapid32.315\qarapidn.exe [2007-9-21 465408]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-3-25 331776]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Nicola\\odds\\utorrent.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [24/09/2009 06:40 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [27/08/2008 15:12 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/08/2008 15:12 17744]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [13/05/2005 05:09 40576]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/01/2010 12:27 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [24/09/2009 14:38 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [17/06/2009 15:01 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [30/11/2007 12:27 558592]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 10:48]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 11:27]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 11:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EPSON Stylus Photo RX420 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
HKLM-Run-EPSON Stylus Photo RX420 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Qualcomm\Eudora\EuShlExt.dll
AddRemove-HijackThis - d:\antivirus\syscleanfiles\hjt\HijackThis.exe
AddRemove-3718539502.skyplayer.sky.com - c:\program files\Microsoft Silverlight\4.0.50917.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-02 15:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo RX420 Series = c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /M "Stylus Photo RX420" /EF "HKCU"??????????????????????????????p???g??w0??w????*??w???w????O??w??????????????????[????w????????????????????T???????????g??w???w???????w???w??[????????????w???????????????????????????????|??????????[?????????????O??ws??w???w'??w????????????X???????????"????>X? ???????????4????a?w????????????????P???????????????T????b?w????P???????{S??????????????h??w????P???????z??wP???????8???????????`??
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-219886449-789616257-1325824072-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DACFF4A5-98A0-3937-3497-8D627EFCCB26}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaifjglknd"=hex:66,61,63,65,69,68,6d,64,6e,68,66,6c,00,31
"dangcgdi"=hex:64,62,6d,69,6f,62,6c,61,6a,6d,6a,6e,6e,68,6d,61,69,66,6f,68,6f,
62,68,67,70,61,63,6e,6a,62,68,65,67,6d,6c,66,6a,6c,6f,66,00,00
"iaaiibhadllegimcop"=hex:6a,61,66,61,6f,70,64,6f,65,6d,70,64,6c,65,65,65,62,6e,
6d,62,00,00
"hakikpmjandahchp"=hex:6a,61,68,61,66,70,6c,6a,63,70,6b,70,70,6e,65,65,6a,6a,
6d,6b,00,00
.
Completion time: 2011-04-02 15:45:48
ComboFix-quarantined-files.txt 2011-04-02 14:45
.
Pre-Run: 59,086,094,336 bytes free
Post-Run: 59,257,753,600 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 03A0BCC8F2C88488570909673A7F487F

************************
DDS log

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 15:53:20.14 on 02/04/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_09
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015.1398 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\dds(3).scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [MBoxUtil Clean] c:\program files\konica minolta\box utility\BoxUtil.exe /clean
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rapid.lnk - c:\qaddress\rapid32.315\qarapidn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\msoffice\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\mahjong escape - ancient japan\images\stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://almcam2.lofer.at:1003//activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\mahjong escape - ancient japan\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e26cpkhm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\e26cpkhm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-9-24 19592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-8-27 294608]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-27 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-18 40384]
R3 EUCR;ENE USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2005-5-13 40576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-9-24 22528]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 25480]
S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]
.
=============== Created Last 30 ================
.
2011-04-02 14:32:37 -------- d-sha-r- C:\cmdcons
2011-04-02 14:24:08 98816 ----a-w- c:\windows\sed.exe
2011-04-02 14:24:08 89088 ----a-w- c:\windows\MBR.exe
2011-04-02 14:24:08 256512 ----a-w- c:\windows\PEV.exe
2011-04-02 14:24:08 161792 ----a-w- c:\windows\SWREG.exe
2011-04-01 11:49:27 -------- d-----w- c:\windows\$XNTUninstall643$
2011-03-31 08:49:58 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-03-29 15:32:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-29 15:32:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-23 11:00:25 -------- d-----w- c:\program files\common files\L&H
2011-03-23 10:59:50 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-23 09:51:09 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-03-23 09:51:08 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-03-23 09:18:28 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Microsoft Help
2011-03-21 14:01:36 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-21 14:01:23 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-03-21 14:01:22 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-03-21 14:01:22 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-03-21 14:01:21 810496 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-21 14:01:21 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-21 14:01:03 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-21 13:43:00 -------- d-----w- c:\program files\common files\DivX Shared
2011-03-21 13:38:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-03-21 13:33:42 421888 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-21 13:33:25 -------- d-----w- c:\program files\XP Codec Pack
.
==================== Find3M ====================
.
2011-02-28 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 15:53:41.57 ===============

**Blade81** · 2011-04-02, 18:21

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Regnull::
[HKEY_USERS\S-1-5-21-219886449-789616257-1325824072-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DACFF4A5-98A0-3937-3497-8D627EFCCB26}*]
DDS::
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 24.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

* Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is not checkmarked.
Click Scan
Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Thread: Another click.giftload problem - :(

Thread Tools

Display

Another click.giftload problem - :(

Posting Permissions