Click.GiftLoad

T

TomLL

New member
Hello,
I got blessed with few viruses on my computer, one is Clic...., the other was Security XP2011, which I hope I got rid of manually, it doesn't show up anymore.
I had Spybot S&D installed on my machine but despite of discovering Gift.. it was not able to get rid of it. I ran Combofix but without luck. I also run Gmer, MBR, RKunhooker and OTL - they produced reports but I did not take any action. Also I tried to run TDSSkiller but virus would not alllow to complete imitialization. As you see I'm a bit desparate.
If you can help me with cleanup without reformating HD I would greatful.

Thomas

DDS report:
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 6:44:09.95 on Thu 04/28/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1632 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\QUICKENW\qw.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ca.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [PowerBar] "c:\program files\cyberlink dvd solution\multimedia launcher\PowerBar.exe" /AtBootTime
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Trusted Zone: aol.com\free
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-24 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-3-31 13224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-24 135664]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2005-12-31 320384]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
.
=============== Created Last 30 ================
.
2011-04-27 17:00:37 -------- d-----w- c:\program files\ESET
2011-04-27 16:47:59 -------- d-----w- C:\_OTL
2011-04-27 15:35:24 -------- d-----w- C:\ComboFix
2011-04-27 13:45:01 -------- d-sha-r- C:\cmdcons
2011-04-27 13:40:06 98816 ----a-w- c:\windows\sed.exe
2011-04-27 13:40:06 89088 ----a-w- c:\windows\MBR.exe
2011-04-27 13:40:06 256512 ----a-w- c:\windows\PEV.exe
2011-04-27 13:40:06 161792 ----a-w- c:\windows\SWREG.exe
2011-04-27 13:30:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-04-26 15:19:22 -------- d-----w- c:\docume~1\owner\applic~1\RegistryKeys
2011-04-26 15:11:41 -------- d-----w- c:\program files\Free Offers from Freeze.com
2011-04-23 16:11:30 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Threat Expert
2011-04-23 00:20:35 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-23 00:20:35 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2004-10-01 20:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160827AS rev.3.42 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A9C24E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9c87d0]; MOV EAX, [0x8a9c884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8AA61AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000066[0x8AA3B9E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AA82B00]
\Driver\atapi[0x8AA21B60] -> IRP_MJ_CREATE -> 0x8A9C24E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9C2332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 6:45:13.37 ===============
 
:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Thomas, your infected with a nasty Rootkit and there may be more, lets get rid of this Rootkit first

Just run this scan and post the log .DO NOT FIX ANYTHING YET

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
aswMBR1.png


On completion of the scan click save log, save it to your desktop and post in your next reply
aswMBR2.png
 
aswMBR report

Thanks for picking up my case and here is aswMBR report:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 08:00:01
-----------------------------
08:00:01.890 OS Version: Windows 5.1.2600 Service Pack 3
08:00:01.890 Number of processors: 1 586 0x401
08:00:01.890 ComputerName: BELAIRE UserName: Owner
08:00:04.015 Initialize success
08:00:08.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
08:00:08.093 Disk 0 Vendor: ST3160827AS 3.42 Size: 152627MB BusType: 3
08:00:08.093 Device \Driver\atapi -> DriverStartIo 8a9c2332
08:00:08.093 Disk 0 MBR read error
08:00:08.093 Disk 0 MBR scan
08:00:08.093 MBR BIOS signature not found 0
08:00:08.093 Disk 0 scanning sectors +312560640
08:00:08.093 Disk 0 scanning C:\WINDOWS\system32\drivers
08:00:12.078 Service scanning
08:00:13.078 Disk 0 trace - called modules:
08:00:13.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a9c24e7]<<
08:00:13.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa61ab8]
08:00:13.078 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000066[0x8aa3b9e8]
08:00:13.078 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8aa82b00]
08:00:13.578 \Driver\atapi[0x8aa21b60] -> IRP_MJ_CREATE -> 0x8a9c24e7
08:00:13.578 Scan finished successfully

Thomas
 
Thomas,

Lets run this first and see if it removes it

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
 
TdSSKiller

It looks like this program won't run on my machine. Initialization stops at 80% and there is problem with compatibility according to MS report. Also I got message that new version of TDSSKiller is available but I could not connect to the site.
 
OK, no problem

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix

aswMBR3.png





Save the log as before and post in your next reply



When your computer boots back up, run DDS and post a new log
 
aswMBR report after fix.

Here is report:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 09:29:50
-----------------------------
09:29:50.234 OS Version: Windows 5.1.2600 Service Pack 3
09:29:50.234 Number of processors: 1 586 0x401
09:29:50.234 ComputerName: BELAIRE UserName: Owner
09:29:51.593 Initialize success
09:29:55.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
09:29:55.296 Disk 0 Vendor: ST3160827AS 3.42 Size: 152627MB BusType: 3
09:29:55.296 Device \Driver\atapi -> DriverStartIo 8a9c2332
09:29:55.296 Disk 0 MBR read error
09:29:55.296 Disk 0 MBR scan
09:29:55.296 MBR BIOS signature not found 0
09:29:55.312 Disk 0 scanning sectors +312560640
09:29:55.312 Disk 0 scanning C:\WINDOWS\system32\drivers
09:29:59.421 Service scanning
09:30:00.359 Disk 0 trace - called modules:
09:30:00.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8922e890]<<
09:30:00.359 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa61ab8]
09:30:00.359 Scan finished successfully
09:30:11.265 Disk 0 MBR fix error
09:31:06.625 Disk 0 MBR fix error
 
DDS report

Here it is:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 9:50:37.37 on Tue 05/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2098 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ca.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [PowerBar] "c:\program files\cyberlink dvd solution\multimedia launcher\PowerBar.exe" /AtBootTime
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Trusted Zone: aol.com\free
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-24 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-3-31 13224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-24 135664]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2005-12-31 320384]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
.
=============== Created Last 30 ================
.
2011-04-27 17:00:37 -------- d-----w- c:\program files\ESET
2011-04-27 16:47:59 -------- d-----w- C:\_OTL
2011-04-27 15:35:24 -------- d-----w- C:\ComboFix
2011-04-27 13:45:01 -------- d-sha-r- C:\cmdcons
2011-04-27 13:40:06 98816 ----a-w- c:\windows\sed.exe
2011-04-27 13:40:06 89088 ----a-w- c:\windows\MBR.exe
2011-04-27 13:40:06 256512 ----a-w- c:\windows\PEV.exe
2011-04-27 13:40:06 161792 ----a-w- c:\windows\SWREG.exe
2011-04-27 13:30:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-04-26 15:19:22 -------- d-----w- c:\docume~1\owner\applic~1\RegistryKeys
2011-04-26 15:11:41 -------- d-----w- c:\program files\Free Offers from Freeze.com
2011-04-23 16:11:30 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Threat Expert
2011-04-23 00:20:35 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-23 00:20:35 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2004-10-01 20:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160827AS rev.3.42 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A9C24E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9c87d0]; MOV EAX, [0x8a9c884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8AA61AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000066[0x8AA3B9E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AA82B00]
\Driver\atapi[0x8AA21B60] -> IRP_MJ_CREATE -> 0x8A9C24E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9C2332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:52:13.65 ===============
 
Just hang on Tom. It was not removed and am checking on why it was not, be back as soon as I can
 
Re:

Ken,
I really appreciate your efforts to help me! I'll wait for sure because that problem is way over my skills and knowledge.

Thomas
 
Thomas,

We're dealing with a possible infection of the Master Boot Record and we want to make sure we run the right tool, yours is a bit different variant that is showing up on the scans so just sit tight
 
Run this please

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.




Now run aswMBR again to save a log, not the fix
 
DeFogger

I ran first 5 steps of your list. After clicking "Yes" to "Finished" message I'm coming back to pop-up asking me if I want to disable CD emulation drivers. No reboot request.
 
Yes, disable them, we will re enable them when were done

Drag your copy of aswMBR to the trash , reboot your computer and then download it again and post the log

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
aswMBR1.png


On completion of the scan click save log, save it to your desktop and post in your next reply
aswMBR2.png
 
Second aswMBR report

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 17:10:29
-----------------------------
17:10:29.671 OS Version: Windows 5.1.2600 Service Pack 3
17:10:29.671 Number of processors: 1 586 0x401
17:10:29.671 ComputerName: BELAIRE UserName: Owner
17:10:45.890 Initialize success
17:10:53.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
17:10:53.093 Disk 0 Vendor: ST3160827AS 3.42 Size: 152627MB BusType: 3
17:10:53.093 Device \Driver\atapi -> DriverStartIo 8a9c2332
17:10:55.109 Disk 0 MBR read successfully
17:10:55.109 Disk 0 MBR scan
17:10:55.109 Disk 0 TDL4@MBR code has been found
17:10:55.109 Disk 0 Windows XP default MBR code found via API
17:10:55.109 Disk 0 MBR hidden
17:10:55.109 Disk 0 MBR [TDL4] **ROOTKIT**
17:10:55.109 Disk 0 trace - called modules:
17:10:55.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a9c24e7]<<
17:10:55.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa61ab8]
17:10:55.109 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000066[0x8aa3b9e8]
17:10:55.109 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8aa82b00]
17:10:55.625 \Driver\atapi[0x8aa21b60] -> IRP_MJ_CREATE -> 0x8a9c24e7
17:10:55.625 Scan finished successfully
17:11:05.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
17:11:05.000 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


That's it.
 
DeFogger report

After reboot I discovered report from Defogger:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:54 on 03/05/2011 (Owner)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
 
Those drivers we disabled where for your CD, we will enable them when were done.

Ok, aswMBR should run ok now

Lets try it again, post the log when done and then go ahead and run DDS and post a new log


Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix for TDL4

aswMBR3.png




Save the log as before and post in your next reply
 
Fix for TDL4 aswMBR report

Here it is:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 18:05:34
-----------------------------
18:05:34.828 OS Version: Windows 5.1.2600 Service Pack 3
18:05:34.828 Number of processors: 1 586 0x401
18:05:34.828 ComputerName: BELAIRE UserName: Owner
18:05:35.328 Initialize success
18:05:38.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
18:05:38.625 Disk 0 Vendor: ST3160827AS 3.42 Size: 152627MB BusType: 3
18:05:38.625 Device \Driver\atapi -> DriverStartIo 8a9c2332
18:05:40.625 Disk 0 MBR read successfully
18:05:40.625 Disk 0 MBR scan
18:05:40.625 Disk 0 TDL4@MBR code has been found
18:05:40.625 Disk 0 Windows XP default MBR code found via API
18:05:40.625 Disk 0 MBR hidden
18:05:40.625 Disk 0 MBR [TDL4] **ROOTKIT**
18:05:40.625 Disk 0 trace - called modules:
18:05:40.625 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a9c24e7]<<
18:05:40.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa61ab8]
18:05:40.625 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000066[0x8aa3b9e8]
18:05:40.625 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8aa82b00]
18:05:41.125 \Driver\atapi[0x8aa21b60] -> IRP_MJ_CREATE -> 0x8a9c24e7
18:05:41.125 Scan finished successfully
18:05:52.796 Disk 0 fixing MBR ...
18:06:02.796 Disk 0 MBR restored successfully
18:06:02.796 Verifying disinfection
18:06:16.812 Infection fixed successfully - please reboot ASAP
18:06:40.593 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
18:06:40.593 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
 
You must log in or register to reply here.
Back
Top