Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: Cannot remove Click.GiftLoad

  1. #1
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default Cannot remove Click.GiftLoad

    Hello. I would very much appreciate your help. SpyBot detects Click.GiftLoad but doesn't remove it. The computer is acting strangely, including random popups, Generic Host Process errors, blue screens, slowness, booting without icons on occasion, etc. I am running a legitimate Dell XPS 630 with XP Professional and have never torrented, etc.

    Here is the SpyBot log and the DDS log. Thank you very much!!


    Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2011-04-18 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-03-18 Includes\Adware.sbi (*)
    2011-03-22 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2011-03-29 Includes\Hijackers.sbi (*)
    2011-03-29 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-04-05 Includes\Malware.sbi (*)
    2011-04-26 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-03-15 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2011-03-08 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-03-15 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2010-12-28 Includes\Trojans.sbi (*)
    2011-04-26 Includes\TrojansC-02.sbi (*)
    2011-04-26 Includes\TrojansC-03.sbi (*)
    2011-04-18 Includes\TrojansC-04.sbi (*)
    2011-04-26 Includes\TrojansC-05.sbi (*)
    2011-03-08 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by [Owner] at 22:52:50.76 on Wed 04/27/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\MozyHome\mozystat.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Owner\My Documents\Downloads\dds.com
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local;<local>
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101214224034.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [<NO NAME>]
    mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
    mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
    mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: {18350088-453C-4407-87ED-361E70FD3285} - hxxps://relativity.idiscoverysolutions.com/Relativity/ActiveX/webclientmanager.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\brenda~1\applic~1\mozilla\firefox\profiles\tuvotr3n.default\
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
    .
    ============= SERVICES / DRIVERS ===============
    .
    R? McComponentHostService;McAfee Security Scan Component Host Service
    R? mfendisk;McAfee Core NDIS Intermediate Filter
    R? mferkdet;McAfee Inc. mferkdet
    R? mferkdk;McAfee Inc. mferkdk
    R? mfesmfk;McAfee Inc. mfesmfk
    S? AdobeActiveFileMonitor;Adobe Active File Monitor
    S? AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9
    S? cfwids;McAfee Inc. cfwids
    S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
    S? McMPFSvc;McAfee Personal Firewall Service
    S? McNaiAnn;McAfee VirusScan Announcer
    S? McProxy;McAfee Proxy Service
    S? McShield;McShield
    S? mfeavfk;McAfee Inc. mfeavfk
    S? mfebopk;McAfee Inc. mfebopk
    S? mfefire;McAfee Firewall Core Service
    S? mfefirek;McAfee Inc. mfefirek
    S? mfehidk;McAfee Inc. mfehidk
    S? mfendiskmp;mfendiskmp
    S? mfetdi2k;McAfee Inc. mfetdi2k
    S? mfevtp;McAfee Validation Trust Protection Service
    S? PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect
    .
    =============== Created Last 30 ================
    .
    2011-04-19 03:55:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-04-19 03:55:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-04-17 21:50:20 -------- d-----w- c:\program files\NCH Software
    2011-04-17 21:50:18 -------- d-----w- c:\docume~1\brenda~1\applic~1\NCH Software
    2011-04-17 21:45:33 -------- d-----w- C:\output media
    2011-04-17 21:44:45 -------- d-----w- c:\program files\Free Convert to DIVX AVI WMV MP4 MPEG Converter
    2011-04-17 21:44:31 164352 ----a-w- c:\windows\system32\unrar.dll
    2011-04-17 21:44:30 860160 ----a-w- c:\windows\system32\lameACM.acm
    2011-04-17 21:44:30 118784 ----a-w- c:\windows\system32\ac3acm.acm
    2011-04-17 21:44:29 81920 ----a-w- c:\windows\system32\dpl100.dll
    2011-04-17 21:44:29 755027 ----a-w- c:\windows\system32\xvidcore.dll
    2011-04-17 21:44:29 683520 ----a-w- c:\windows\system32\divx.dll
    2011-04-17 21:44:29 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
    2011-04-17 21:44:29 217088 ----a-w- c:\windows\system32\yv12vfw.dll
    2011-04-17 21:44:29 159839 ----a-w- c:\windows\system32\xvidvfw.dll
    2011-04-17 21:44:28 7680 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-04-17 21:44:28 -------- d-----w- c:\program files\K-Lite Codec Pack
    2011-04-17 21:07:02 -------- d-----w- c:\docume~1\brenda~1\locals~1\applic~1\HandBrake
    2011-04-17 21:07:02 -------- d-----w- c:\docume~1\brenda~1\applic~1\HandBrake
    2011-04-17 21:06:51 -------- d-----w- c:\program files\Handbrake
    2011-04-17 19:07:51 -------- d-----w- c:\docume~1\brenda~1\applic~1\Malwarebytes
    2011-04-17 19:07:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-17 19:07:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-17 19:07:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-17 19:07:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-17 14:54:36 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-04-17 14:54:36 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-17 01:53:48 0 ----a-w- c:\windows\Cqinilaquvacaxo.bin
    2011-04-17 01:53:47 -------- d-----w- c:\docume~1\brenda~1\locals~1\applic~1\{44C54CD9-6D74-49E1-8D68-B6A23E439D62}
    2011-04-07 04:25:26 -------- d-----w- c:\program files\MSECache
    2011-04-01 06:45:05 -------- d-----w- c:\docume~1\brenda~1\locals~1\applic~1\ManyCam
    2011-04-01 06:44:24 -------- d-----w- c:\docume~1\brenda~1\applic~1\ManyCam
    2011-04-01 06:44:10 -------- d-----w- c:\program files\ManyCam
    2011-04-01 04:20:56 -------- d-----w- c:\program files\ConvertHelper
    .
    ==================== Find3M ====================
    .
    2011-03-25 23:48:06 4284416 ----a-w- c:\windows\system32\GPhotos.scr
    2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-13 23:54:32 72080 ----a-w- c:\documents and settings\owner\g2mdlhlpx.exe
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    .
    ============= FINISH: 22:54:47.84 ===============


  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download aswMBR to your desktop. Double click the aswMBR.exe to run it
    Click the Scan button to start scan

    On completion of the scan click save log, save it to your desktop and post in your next reply. Post fresh dds logs too.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default

    Thank you!! Here are the logs you asked for:

    aswMBR version 0.9.5.247 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-02 22:47:51
    -----------------------------
    22:47:51.296 OS Version: Windows 5.1.2600 Service Pack 3
    22:47:51.296 Number of processors: 4 586 0xF0B
    22:47:51.296 ComputerName: XPS630 UserName:
    22:48:12.937 Initialize success
    22:48:19.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0
    22:48:19.468 Disk 0 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 1
    22:48:19.468 Device \Driver\nvgts -> DriverStartIo 8b0db332
    22:48:21.468 Disk 0 MBR read successfully
    22:48:21.468 Disk 0 MBR scan
    22:48:21.468 Disk 0 TDL4@MBR code has been found
    22:48:21.468 Disk 0 Windows XP default MBR code found via API
    22:48:21.468 Disk 0 MBR hidden
    22:48:21.468 Disk 0 MBR [TDL4] **ROOTKIT**
    22:48:21.468 Disk 0 trace - called modules:
    22:48:21.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b0db4e7]<<
    22:48:21.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b21f9c0]
    22:48:21.468 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8b15ba20]
    22:48:21.468 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b18ca38]
    22:48:21.468 \Driver\nvgts[0x8b18a5f0] -> IRP_MJ_CREATE -> 0x8b0db4e7
    22:48:21.468 Scan finished successfully
    22:48:38.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Firstname Lastname\Desktop\MBR.dat"
    22:48:38.781 The log file has been saved successfully to "C:\Documents and Settings\Firstname Lastname\Desktop\aswMBR-LOG.txt"


    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Firstname Lastname at 22:51:44.65 on Mon 05/02/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2212 [GMT -4:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\MozyHome\mozystat.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Documents and Settings\Firstname Lastname\Desktop\AnotherTryaswMBR.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Firstname Lastname\My Documents\Downloads\dds.com
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local;<local>
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101214224034.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [Google Update] "c:\documents and settings\Firstname Lastname\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
    mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
    mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\brenda~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\brenda~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\windows\dvzcommon\DvzMsgr.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: {18350088-453C-4407-87ED-361E70FD3285} - hxxps://relativity.idiscoverysolutions.com/Relativity/ActiveX/webclientmanager.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\brenda~1\applic~1\mozilla\firefox\profiles\tuvotr3n.default\
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\Firstname Lastname\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-12-14 386840]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-12-14 84072]
    R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
    R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-14 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-14 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-14 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-14 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-12-14 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-12-14 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-12-14 141792]
    R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-14 55840]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-14 152960]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-14 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-12-14 88544]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-14 52104]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-12-14 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-14 84264]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-12-14 33832]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-12-14 40488]
    .
    =============== Created Last 30 ================
    .
    2011-05-01 06:01:34 -------- d-----w- c:\program files\ESET
    2011-05-01 05:57:51 -------- d-----w- c:\program files\CCleaner
    2011-05-01 05:28:19 -------- d-sha-r- C:\cmdcons
    2011-05-01 05:23:37 98816 ----a-w- c:\windows\sed.exe
    2011-05-01 05:23:37 89088 ----a-w- c:\windows\MBR.exe
    2011-05-01 05:23:37 256512 ----a-w- c:\windows\PEV.exe
    2011-05-01 05:23:37 161792 ----a-w- c:\windows\SWREG.exe
    2011-04-19 03:55:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-04-19 03:55:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2011-04-17 21:50:20 -------- d-----w- c:\program files\NCH Software
    2011-04-17 21:50:18 -------- d-----w- c:\docume~1\brenda~1\applic~1\NCH Software
    2011-04-17 21:45:33 -------- d-----w- C:\output media
    2011-04-17 21:44:45 -------- d-----w- c:\program files\Free Convert to DIVX AVI WMV MP4 MPEG Converter
    2011-04-17 21:44:31 164352 ----a-w- c:\windows\system32\unrar.dll
    2011-04-17 21:44:30 860160 ----a-w- c:\windows\system32\lameACM.acm
    2011-04-17 21:44:30 118784 ----a-w- c:\windows\system32\ac3acm.acm
    2011-04-17 21:44:29 81920 ----a-w- c:\windows\system32\dpl100.dll
    2011-04-17 21:44:29 755027 ----a-w- c:\windows\system32\xvidcore.dll
    2011-04-17 21:44:29 683520 ----a-w- c:\windows\system32\divx.dll
    2011-04-17 21:44:29 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
    2011-04-17 21:44:29 217088 ----a-w- c:\windows\system32\yv12vfw.dll
    2011-04-17 21:44:29 159839 ----a-w- c:\windows\system32\xvidvfw.dll
    2011-04-17 21:44:28 7680 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-04-17 21:44:28 -------- d-----w- c:\program files\K-Lite Codec Pack
    2011-04-17 21:07:02 -------- d-----w- c:\docume~1\brenda~1\locals~1\applic~1\HandBrake
    2011-04-17 21:07:02 -------- d-----w- c:\docume~1\brenda~1\applic~1\HandBrake
    2011-04-17 21:06:51 -------- d-----w- c:\program files\Handbrake
    2011-04-17 19:07:51 -------- d-----w- c:\docume~1\brenda~1\applic~1\Malwarebytes
    2011-04-17 19:07:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-17 19:07:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-17 19:07:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-17 19:07:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-17 14:54:36 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-04-17 14:54:36 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-17 01:53:48 0 ----a-w- c:\windows\Cqinilaquvacaxo.bin
    2011-04-07 04:25:26 -------- d-----w- c:\program files\MSECache
    .
    ==================== Find3M ====================
    .
    2011-03-25 23:48:06 4284416 ----a-w- c:\windows\system32\GPhotos.scr
    2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    .
    ============= FINISH: 22:59:02.57 ===============

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Re-Run aswMBR. Click Scan. On completion of the scan click the Fix for TDL4 (wait and reboot if prompted). Post the aswMBR log in your next reply.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default

    I ran the "Fix." It said it was successful, then I rebooted. When I ran aswMBR again, it seems to me that the same problem is present. I tried this twice to be sure, shutting down and rebooting immediately after the Fix was complete. Here is the log.

    aswMBR version 0.9.5.247 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-03 21:25:07
    -----------------------------
    21:25:07.031 OS Version: Windows 5.1.2600 Service Pack 3
    21:25:07.031 Number of processors: 4 586 0xF0B
    21:25:07.031 ComputerName: XPS630 UserName:
    21:26:39.156 Initialize success
    21:26:46.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0
    21:26:46.421 Disk 0 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 1
    21:26:46.421 Device \Driver\nvgts -> DriverStartIo 8afa6332
    21:26:48.421 Disk 0 MBR read successfully
    21:26:48.421 Disk 0 MBR scan
    21:26:48.421 Disk 0 TDL4@MBR code has been found
    21:26:48.421 Disk 0 Windows XP default MBR code found via API
    21:26:48.421 Disk 0 MBR hidden
    21:26:48.421 Disk 0 MBR [TDL4] **ROOTKIT**
    21:26:48.421 Disk 0 trace - called modules:
    21:26:48.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8afa64e7]<<
    21:26:48.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b07aab8]
    21:26:48.421 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8af96b18]
    21:26:48.421 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8af65a38]
    21:26:48.421 \Driver\nvgts[0x8aff8360] -> IRP_MJ_CREATE -> 0x8afa64e7
    21:26:48.421 Scan finished successfully
    21:27:19.421 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\First Last\Desktop\MBR.dat"
    21:27:19.421 The log file has been saved successfully to "C:\Documents and Settings\First Last\Desktop\aswMBR_LogMay3.txt"

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please reboot and after that download a fresh copy of aswMBR. Run it like earlier and post back the log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default

    Rebooted, downloaded a fresh copy and ran a scan again. Here is the log:

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-04 01:47:39
    -----------------------------
    01:47:39.468 OS Version: Windows 5.1.2600 Service Pack 3
    01:47:39.468 Number of processors: 4 586 0xF0B
    01:47:39.468 ComputerName: XPS630 UserName:
    01:47:41.000 Initialize success
    01:47:43.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0
    01:47:43.390 Disk 0 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 1
    01:47:43.390 Device \Driver\nvgts -> DriverStartIo 8b00c332
    01:47:45.390 Disk 0 MBR read successfully
    01:47:45.390 Disk 0 MBR scan
    01:47:45.390 Disk 0 TDL4@MBR code has been found
    01:47:45.390 Disk 0 Windows XP default MBR code found via API
    01:47:45.390 Disk 0 MBR hidden
    01:47:45.390 Disk 0 MBR [TDL4] **ROOTKIT**
    01:47:45.390 Disk 0 trace - called modules:
    01:47:45.390 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b00c4e7]<<
    01:47:45.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8afba9c0]
    01:47:45.390 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8affda20]
    01:47:45.390 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b01da38]
    01:47:45.390 \Driver\nvgts[0x8af8d5f0] -> IRP_MJ_CREATE -> 0x8b00c4e7
    01:47:45.390 Scan finished successfully
    01:47:58.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Firstname Lastname\Desktop\MBR.dat"
    01:47:58.765 The log file has been saved successfully to "C:\Documents and Settings\Firstname Lastname\Desktop\FRESHaswMBR.txt"

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please use Fix button there and reboot when prompted (save the log). Post back the report.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default

    Ok. I clicked "Fix" then rebooted. On reboot I had no icons, so I used CTRL-ALT-DEL to get Task Manager to Restart again. Once I was running with icons, I downloaded ANOTHER fresh copy of aswMBR and did a scan. Here are the results:

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-04 01:56:58
    -----------------------------
    01:56:58.812 OS Version: Windows 5.1.2600 Service Pack 3
    01:56:58.812 Number of processors: 4 586 0xF0B
    01:56:58.812 ComputerName: XPS630 UserName:
    01:57:00.703 Initialize success
    01:57:02.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0
    01:57:02.906 Disk 0 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 1
    01:57:02.906 Device \Driver\nvgts -> DriverStartIo 8b144332
    01:57:04.906 Disk 0 MBR read successfully
    01:57:04.906 Disk 0 MBR scan
    01:57:04.906 Disk 0 TDL4@MBR code has been found
    01:57:04.906 Disk 0 Windows XP default MBR code found via API
    01:57:04.906 Disk 0 MBR hidden
    01:57:04.906 Disk 0 MBR [TDL4] **ROOTKIT**
    01:57:04.906 Disk 0 trace - called modules:
    01:57:04.906 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b1444e7]<<
    01:57:04.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b15bab8]
    01:57:04.906 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8b173aa8]
    01:57:04.906 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b21da38]
    01:57:04.906 \Driver\nvgts[0x8b0ed598] -> IRP_MJ_CREATE -> 0x8b1444e7
    01:57:04.906 Scan finished successfully
    01:57:26.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Firstname Lastname\Desktop\MBR.dat"
    01:57:26.656 The log file has been saved successfully to "C:\Documents and Settings\Firstname Lastname\Desktop\FRESHESTaswMBR.txt"

  10. #10
    Junior Member
    Join Date
    Apr 2011
    Posts
    16

    Default

    Just to try something a little different, I just clicked "Fix" again, then exited, then ran aswMBR again and did a Scan without rebooting. This produces different results with different lines in red print and it no longer says ROOTKIT. It appears that the rootkit is re-establishing itself whenever I reboot.

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-04 02:00:59
    -----------------------------
    02:00:59.109 OS Version: Windows 5.1.2600 Service Pack 3
    02:00:59.109 Number of processors: 4 586 0xF0B
    02:00:59.109 ComputerName: XPS630 UserName:
    02:01:00.468 Initialize success
    02:01:01.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0
    02:01:01.734 Disk 0 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 1
    02:01:01.734 Device \Driver\nvgts -> DriverStartIo 8b144332
    02:01:03.734 Disk 0 MBR read successfully
    02:01:03.734 Disk 0 MBR scan
    02:01:03.734 Disk 0 Windows XP default MBR code
    02:01:05.734 Disk 0 scanning sectors +1953504000
    02:01:05.750 Disk 0 scanning C:\WINDOWS\system32\drivers
    02:01:13.015 Service scanning
    02:01:14.000 Disk 0 trace - called modules:
    02:01:14.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8b1444e7]<<
    02:01:14.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b15bab8]
    02:01:14.000 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8b173aa8]
    02:01:14.000 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8b21da38]
    02:01:14.000 \Driver\nvgts[0x8b0ed598] -> IRP_MJ_CREATE -> 0x8b1444e7
    02:01:14.000 Scan finished successfully
    02:01:23.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Firstname Lastname\Desktop\MBR.dat"
    02:01:23.234 The log file has been saved successfully to "C:\Documents and Settings\Firstname Lastname\Desktop\FixFreshScanaswMBR.txt"

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •