Hello, and thank you very much in advance for your help.
A few days ago my PC spontaneously restarted, and after the reboot Windows notified it had recovered itself from a serious error. Then I tried to install the latest Windows update, but the installation failed; in a moment I couldn't even access the Windows Update page. I ran Spybot-S&D and it found Click.GiftLoad. Now I'm working in safe mode (as I can do nothing in normal mode, everything going too slow). Since then I've only connected the computer to the internet in order to download ERUNT, DDS, etc. and to read the forum. I have also run ATF Cleaner, GooredFix and TDSSKiller as suggested by a friend, but it didn't work.
Thank you very much again.
.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by andres1 at 18:59:26,95 on 08/05/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.34.3082.18.1023.765 [GMT 2:00]
.
AV: Panda Antivirus Pro 2010 *Enabled/Updated* {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}
FW: Panda Personal Firewall 2010 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\andres1\Escritorio\shazam\spybot\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.es/
uInternet Connection Wizard,ShellNext = hxxp://www.pandasoftware.com/redirector/?prod=104&app=KeysSupport&lang=spa
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\docume~1\andres1\config~1\temp\bldjad.exe
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [NeroFilterCheck] c:\archivos de programa\archivos comunes\ahead\lib\NeroCheck.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SoundMAXPnP] c:\archivos de programa\analog devices\core\smax4pnp.exe
mRun: [XboxStat] "c:\archivos de programa\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [APVXDWIN] "c:\archivos de programa\panda security\panda antivirus pro 2010\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\archivos de programa\panda security\panda antivirus pro 2010\Inicio.exe"
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\qttask.exe" -atboottime
mRun: [CERTUI] c:\archivos de programa\acotec\certui\CerTUI.exe
mRun: [RegistrarUsrDNIeCertStoreDLL] "c:\archivos de programa\dnie\udcs.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\andres1\menini~1\progra~1\inicio\certui.lnk - c:\archivos de programa\acotec\certui\CerTui.exe
StartupFolder: c:\docume~1\andres1\menini~1\progra~1\inicio\uninst~1.lnk - c:\windows\certui\uninstall.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\logite~1.lnk - c:\archivos de programa\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableUA = 0 (0x0)
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: fnmt.es\www.cert
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {1C4C6BC7-91F1-4FD3-A208-B07B6C1BDBFB} - hxxps://www.juntadeandalucia.es/economiayhacienda/apl/surnet/firma/instalacion/SignV2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} - hxxps://www.cert.fnmt.es/content/pages_std/ficheros_apps_usuarios/capicom.cab
DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} - hxxps://www1.aeat.es/imagenes/comun/cactivex.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\archiv~1\markany\conten~1\MACSMA~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mrjmptwa.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\andres1\datosd~1\mozilla\firefox\profiles\d7wjsik5.default\
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: 1-Click YouTube Video Downloader: YoutubeDownloader@PeterOlayev.com - %profile%\extensions\YoutubeDownloader@PeterOlayev.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Acotec PKCS#11: acotec@acotec.es - c:\archivos de programa\mozilla firefox\extensions\acotec@acotec.es
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2010-6-19 159112]
R2 aawservice;Ad-Aware 2007 Service;c:\archivos de programa\lavasoft\ad-aware 2007\aawservice.exe [2007-6-5 607576]
R3 NETIMFLT01060039;PANDA NDIS IM Filter Miniport v1.6.0.39;c:\windows\system32\drivers\neti1639.sys [2010-6-19 199432]
S0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2010-6-19 28552]
S1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2010-6-19 75016]
S1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2010-6-19 53128]
S1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2010-6-19 22072]
S1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2010-6-19 193800]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2010-6-19 41144]
S1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2010-6-19 46728]
S2 ckfhatpqubgol;ckfhatpqubgol;"c:\docume~1\andres1\config~1\temp\dat1aed.tmp.exe" --service --> c:\docume~1\andres1\config~1\temp\DAT1AED.tmp.exe [?]
S2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k panda --> c:\windows\system32\svchost -k Panda [?]
S2 Panda Software Controller;Panda Software Controller;c:\archivos de programa\panda security\panda antivirus pro 2010\PsCtrlS.exe [2010-6-19 173312]
S2 PAVDRV;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2010-6-19 84024]
S2 PAVFNSVR;Panda Function Service;c:\archivos de programa\panda security\panda antivirus pro 2010\PavFnSvr.exe [2010-6-19 169216]
S2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2010-6-19 163336]
S2 PavPrSrv;Panda Process Protection Service;c:\archivos de programa\archivos comunes\panda security\pavshld\PavPrSrv.exe [2010-6-19 62768]
S2 PAVSRV;Panda On-Access Anti-Malware Service;c:\archivos de programa\panda security\panda antivirus pro 2010\PAVSRV51.EXE [2010-6-19 291584]
S2 PskSvcRetail;Panda PSK service;c:\archivos de programa\panda security\panda antivirus pro 2010\psksvc.exe [2010-6-19 28928]
S2 srvA50;srvA50;c:\windows\system32\svchost.exe -k netsvcs [2006-3-2 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S3 RkPavproc1;RkPavproc1;c:\windows\system32\drivers\RkPavproc1.sys [2011-4-30 16648]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\rkpavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 RkPavproc3;RkPavproc3;\??\c:\windows\system32\drivers\rkpavproc3.sys --> c:\windows\system32\drivers\RkPavproc3.sys [?]
S3 RkPavproc4;RkPavproc4;\??\c:\windows\system32\drivers\rkpavproc4.sys --> c:\windows\system32\drivers\RkPavproc4.sys [?]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-14 50048]
.
=============== File Associations ===============
.
JSEFile=c:\archiv~1\pandas~2\pandaa~1\PAVSCRIP.EXE "%1" %*
VBEFile=c:\archiv~1\pandas~2\pandaa~1\PAVSCRIP.EXE "%1" %*
VBSFile=c:\archiv~1\pandas~2\pandaa~1\PAVSCRIP.EXE "%1" %*
.
=============== Created Last 30 ================
.
2011-05-05 16:12:06 -------- d-----w- C:\PANDA
2011-04-30 16:39:03 16648 ----a-w- c:\windows\system32\drivers\RkPavproc1.sys
2011-04-29 23:32:51 0 ----a-w- c:\windows\system32\tmp.tmp
2011-04-29 20:42:09 37888 ----a-w- c:\windows\system32\mrjmptwa.dll
2011-04-29 20:40:28 11968 ----a-w- c:\archivos de programa\mozilla firefox\null0.8191773321168803.exe
2011-04-13 18:19:48 196608 ----a-w- C:\aeat.dll
2011-04-12 20:24:21 -------- d-----w- c:\archivos de programa\DNIe
2011-04-12 18:32:01 -------- d-----w- c:\windows\CerTUI
2011-04-12 18:32:01 -------- d-----w- c:\archivos de programa\ACOTEC
.
==================== Find3M ====================
.
2011-03-21 18:13:18 295042 ----a-w- c:\windows\system32\shimg.dll
2011-03-07 05:33:36 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 08:43:22 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53:03 1858048 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 18:55:28 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 18:55:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-17 18:55:27 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 18:55:27 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 12:54:06 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:27 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:27 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:28 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6V320F0 rev.VA111900 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86E45730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86e4ba10]; MOV EAX, [0x86e4ba8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F36AB8]
3 CLASSPNP[0xF762FFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86EFDAE8]
\Driver\atapi[0x86ED0D28] -> IRP_MJ_CREATE -> 0x86E45730
error: Read Uno de los dispositivos vinculados al sistema no funciona.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86E4557B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:01:15,96 ===============
Click.GiftLoad: [SBI $89783858] Configuración del usuario (Valor del registro, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2007-06-29 unins000.exe (51.41.0.0)
2009-04-02 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-03-29 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-05-03 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-05-03 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-05-02 Includes\TrojansC-02.sbi (*)
2011-05-03 Includes\TrojansC-03.sbi (*)
2011-05-03 Includes\TrojansC-04.sbi (*)
2011-05-04 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll