Still hijacking after using restore point

Hi peku006,

Eset report:

D:\Documents\Old net downloads\sdax2101.exe Win32/Adware.WhenU.SaveNow application
D:\Documents\Received files\DigitalSmart-Audio-Recorder-for-FREE-Installer.EXE Win32/Adware.WhenU.SaveNow application
D:\Documents\Received files\Program Suite 2010\xf-colorefex3.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Documents\Received files\Program Suite 2010\Dfine2-rev2.102EN.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Documents\Received files\Program Suite 2010\SharpenerPro3-rev3.001EN.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Documents\Received files\Program Suite 2010\SilverEfexPro-rev1.003EN.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Documents\Received files\Program Suite 2010\iveza-rev1.002EN.exe NSIS/TrojanDownloader.Agent.NBS.Gen trojan
D:\Name\Levelek\mail.btinternet.com\Inbox a variant of Win32/HackTool.Patcher.A application
D:\Name\Levelek\mail.btinternet.com\Sent a variant of Win32/HackTool.Patcher.A application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 148.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 23.zip a variant of Win32/HackTool.Patcher.A application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 25.zip a variant of Win32/HackTool.Patcher.A application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 5.zip Win32/Adware.WhenU.SaveNow application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-11-01 173755\Backup files 6.zip Win32/Adware.WhenU.SaveNow application
G:\PC\Backup Set 2009-11-01 173755\Backup Files 2009-12-06 190002\Backup files 4.zip a variant of Win32/HackTool.Patcher.A application


****************************************************

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:56:09, on 16/04/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
D:\Peter\Trojaiellenes\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [BrowserChoice] browserchoice.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 6101 bytes


Thanks,
cobo
 
Hi cobo

can not find any "suspicious", let´s try this

Close Firefox.
On your keyboard hit the Windows key and R simultaneously.

In the Run box type in this command and hit enter.

"%PROGRAMFILES%\Mozilla Firefox\firefox.exe" -safe-mode

Don't make any changes.
Click on Continue in Safe Mode

Firefox should start up. It may look unusual but it will work.
Let me know if your issue happens with Firefox in this mode.

Thanks peku006
 
Hi cobo

It appears that you have a tdl3 rootkit and the tools that we normally use is not working windows 7.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
*iastor*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

Thanks peku006
 
Hello peku

Thanks for that, here's the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:25 on 17/04/2010 by Zsolt (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor*"
C:\Windows\inf\iastorv.inf --a--- 14004 bytes [04:51 14/07/2009] [04:51 14/07/2009] EAEE055AC902E8A9C45377A6F4E199B5
C:\Windows\inf\iastorv.PNF --a--- 17612 bytes [04:38 14/07/2009] [04:38 14/07/2009] 0B02E76F6BAD88802970F09EDADCEB62
C:\Windows\System32\DriverStore\en-US\iastorv.inf_loc --a--- 2036 bytes [04:54 14/07/2009] [02:04 14/07/2009] F55899C679D9851CCEAF0A4E1983A520
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iastorv.inf --a--- 14004 bytes [20:49 13/07/2009] [20:49 13/07/2009] EAEE055AC902E8A9C45377A6F4E199B5
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iastorv.PNF --a--- 16884 bytes [04:51 14/07/2009] [04:51 14/07/2009] 99FFD122C1B5693457E7F2C45E94D8C4
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys --a--- 332352 bytes [21:19 10/06/2009] [01:20 14/07/2009] 934AF4D7C5F457B9F0743F4299B77B67
C:\Windows\System32\drivers\iaStorV.sys --a--- 332352 bytes [21:19 10/06/2009] [01:20 14/07/2009] 934AF4D7C5F457B9F0743F4299B77B67
C:\Windows\winsxs\Manifests\x86_iastorv.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_6a53a1b100db3f49.manifest --a--- 1113 bytes [04:55 14/07/2009] [04:55 14/07/2009] 5D132FB028836EA4C6342D5757DF16D5
C:\Windows\winsxs\Manifests\x86_iastorv.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e8ca5196e3515d38.manifest --a--- 1781 bytes [04:54 14/07/2009] [02:28 14/07/2009] 9B395173BA10EA76B5B01676B8E7B341
C:\Windows\winsxs\Manifests\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000.manifest --a--- 2087 bytes [04:48 14/07/2009] [04:48 14/07/2009] BF4E86A933AC44DB292DE55993CD46EA
C:\Windows\winsxs\x86_iastorv.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e8ca5196e3515d38\iastorv.inf_loc --a--- 2036 bytes [04:54 14/07/2009] [02:04 14/07/2009] F55899C679D9851CCEAF0A4E1983A520
C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iastorv.inf --a--- 14004 bytes [20:49 13/07/2009] [20:49 13/07/2009] EAEE055AC902E8A9C45377A6F4E199B5
C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys --a--- 332352 bytes [21:19 10/06/2009] [01:20 14/07/2009] 934AF4D7C5F457B9F0743F4299B77B67

-=End Of File=-


cobo
 
Hi cobo

  1. Go to this page and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Thanks peku006
 
Hi peku,

The report:

11:36:37:923 3536 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
11:36:37:923 3536 ================================================================================
11:36:37:923 3536 SystemInfo:

11:36:37:923 3536 OS Version: 6.1.7600 ServicePack: 0.0
11:36:37:923 3536 Product type: Workstation
11:36:37:923 3536 ComputerName: PC
11:36:37:923 3536 UserName: Zsolt
11:36:37:923 3536 Windows directory: C:\Windows
11:36:37:923 3536 Processor architecture: Intel x86
11:36:37:923 3536 Number of processors: 2
11:36:37:923 3536 Page size: 0x1000
11:36:37:923 3536 Boot type: Normal boot
11:36:37:923 3536 ================================================================================
11:36:37:923 3536 UnloadDriverW: NtUnloadDriver error 2
11:36:37:923 3536 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:36:38:126 3536 wfopen_ex: Trying to open file C:\Windows\system32\config\system
11:36:38:126 3536 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:36:38:126 3536 wfopen_ex: Trying to KLMD file open
11:36:38:126 3536 wfopen_ex: File opened ok (Flags 2)
11:36:38:142 3536 wfopen_ex: Trying to open file C:\Windows\system32\config\software
11:36:38:142 3536 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:36:38:142 3536 wfopen_ex: Trying to KLMD file open
11:36:38:142 3536 wfopen_ex: File opened ok (Flags 2)
11:36:38:157 3536 Initialize success
11:36:38:157 3536
11:36:38:157 3536 Scanning Services ...
11:36:39:048 3536 Raw services enum returned 464 services
11:36:39:079 3536
11:36:39:079 3536 Scanning Kernel memory ...
11:36:39:079 3536 Devices to scan: 2
11:36:39:079 3536
11:36:39:079 3536 Driver Name: USBSTOR
11:36:39:079 3536 IRP_MJ_CREATE : 8F5E2A02
11:36:39:079 3536 IRP_MJ_CREATE_NAMED_PIPE : 82AE9447
11:36:39:079 3536 IRP_MJ_CLOSE : 8F5E2A7A
11:36:39:079 3536 IRP_MJ_READ : 8F5E2AF2
11:36:39:079 3536 IRP_MJ_WRITE : 8F5E2AF2
11:36:39:079 3536 IRP_MJ_QUERY_INFORMATION : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_INFORMATION : 82AE9447
11:36:39:079 3536 IRP_MJ_QUERY_EA : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_EA : 82AE9447
11:36:39:079 3536 IRP_MJ_FLUSH_BUFFERS : 82AE9447
11:36:39:079 3536 IRP_MJ_QUERY_VOLUME_INFORMATION : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_VOLUME_INFORMATION : 82AE9447
11:36:39:079 3536 IRP_MJ_DIRECTORY_CONTROL : 82AE9447
11:36:39:079 3536 IRP_MJ_FILE_SYSTEM_CONTROL : 82AE9447
11:36:39:079 3536 IRP_MJ_DEVICE_CONTROL : 8F5E25FE
11:36:39:079 3536 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8F5D5656
11:36:39:079 3536 IRP_MJ_SHUTDOWN : 82AE9447
11:36:39:079 3536 IRP_MJ_LOCK_CONTROL : 82AE9447
11:36:39:079 3536 IRP_MJ_CLEANUP : 82AE9447
11:36:39:079 3536 IRP_MJ_CREATE_MAILSLOT : 82AE9447
11:36:39:079 3536 IRP_MJ_QUERY_SECURITY : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_SECURITY : 82AE9447
11:36:39:079 3536 IRP_MJ_POWER : 8F5E09BA
11:36:39:079 3536 IRP_MJ_SYSTEM_CONTROL : 8F5DD88E
11:36:39:079 3536 IRP_MJ_DEVICE_CHANGE : 82AE9447
11:36:39:079 3536 IRP_MJ_QUERY_QUOTA : 82AE9447
11:36:39:079 3536 IRP_MJ_SET_QUOTA : 82AE9447
11:36:39:095 3536 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
11:36:39:095 3536
11:36:39:095 3536 Driver Name: atapi
11:36:39:095 3536 IRP_MJ_CREATE : 856DFAC8
11:36:39:095 3536 IRP_MJ_CREATE_NAMED_PIPE : 856DFAC8
11:36:39:095 3536 IRP_MJ_CLOSE : 856DFAC8
11:36:39:095 3536 IRP_MJ_READ : 856DFAC8
11:36:39:095 3536 IRP_MJ_WRITE : 856DFAC8
11:36:39:095 3536 IRP_MJ_QUERY_INFORMATION : 856DFAC8
11:36:39:095 3536 IRP_MJ_SET_INFORMATION : 856DFAC8
11:36:39:095 3536 IRP_MJ_QUERY_EA : 856DFAC8
11:36:39:095 3536 IRP_MJ_SET_EA : 856DFAC8
11:36:39:095 3536 IRP_MJ_FLUSH_BUFFERS : 856DFAC8
11:36:39:095 3536 IRP_MJ_QUERY_VOLUME_INFORMATION : 856DFAC8
11:36:39:095 3536 IRP_MJ_SET_VOLUME_INFORMATION : 856DFAC8
11:36:39:095 3536 IRP_MJ_DIRECTORY_CONTROL : 856DFAC8
11:36:39:095 3536 IRP_MJ_FILE_SYSTEM_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_DEVICE_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_INTERNAL_DEVICE_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_SHUTDOWN : 856DFAC8
11:36:39:110 3536 IRP_MJ_LOCK_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_CLEANUP : 856DFAC8
11:36:39:110 3536 IRP_MJ_CREATE_MAILSLOT : 856DFAC8
11:36:39:110 3536 IRP_MJ_QUERY_SECURITY : 856DFAC8
11:36:39:110 3536 IRP_MJ_SET_SECURITY : 856DFAC8
11:36:39:110 3536 IRP_MJ_POWER : 856DFAC8
11:36:39:110 3536 IRP_MJ_SYSTEM_CONTROL : 856DFAC8
11:36:39:110 3536 IRP_MJ_DEVICE_CHANGE : 856DFAC8
11:36:39:110 3536 IRP_MJ_QUERY_QUOTA : 856DFAC8
11:36:39:110 3536 IRP_MJ_SET_QUOTA : 856DFAC8
11:36:39:110 3536 Driver "atapi" infected by TDSS rootkit!
11:36:39:110 3536 C:\Windows\system32\DRIVERS\atapi.sys - Verdict: 1
11:36:39:110 3536 File "C:\Windows\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 11:36:39:110 3536 Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
11:36:39:470 3536 vfvi6
11:36:39:532 3536 dsvbh1
11:36:40:157 3536 fdfb1
11:36:40:157 3536 Backup copy found, using it..
11:36:40:157 3536 will be cured on next reboot
11:36:40:157 3536 Reboot required for cure complete..
11:36:40:313 3536 Cure on reboot scheduled successfully
11:36:40:313 3536
11:36:40:313 3536 Completed
11:36:40:313 3536
11:36:40:313 3536 Results:
11:36:40:313 3536 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
11:36:40:313 3536 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:36:40:313 3536 File objects infected / cured / cured on reboot: 1 / 0 / 1
11:36:40:313 3536
11:36:40:313 3536 fclose_ex: Trying to close file C:\Windows\system32\config\system
11:36:40:313 3536 fclose_ex: Trying to close file C:\Windows\system32\config\software
11:36:40:313 3536 UnloadDriverW: NtUnloadDriver error 1
11:36:40:329 3536 MyDeleteFileW: MyNtCreateFile (C:\Windows\system32\drivers\klmd.sys) error 32
11:36:40:329 3536 KLMD(ARK) unloaded successfully



*************************************************


I don't know whether this supposed to fix it (based on the report) but unfortunately the redirections still exist. Do you think I have to reinstall Win7 to get rid of this tdl3?

Thanks,
cobo
 
Hi cobo
Do you think I have to reinstall Win7 to get rid of this tdl3?
Click to expand...
perhaps it is the best option ,but we can try this tool before you reinstall Win7

  • Download RootRepeal from the following location and save it to your desktop.
  • Unzip it to your Desktop
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • Check the box for your main system drive (Usually C:), and Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program

Thanks peku006
 
Hello peku,

I tried in safe mode with the same result unfortunately.

Any other ideas perhaps?

Thanks again,
cobo
 
Hi cobo

Uninstall ComboFix

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK

Download the latest version of ComboFix and run it
Thanks peku006
 
Last edited:
Hi peku,

I saw your earlier message, which got deleted now (that your 'tools' are not working under Win7). Funnily, somehow I had exactly the same idea that you just recommended. So, as I couldn't find where I saved the earlier version of Combofix, I downloaded it again and ran it. :)
This is the report:

ComboFix 10-04-19.05 - Zsolt 20/04/2010 15:35:01.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2048.1319 [GMT 1:00]
Running from: d:\peter\Trojaiellenes\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Zsolt\AppData\Roaming\sdra64.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe

----- BITS: Possible infected sites -----

hxxp://www.bing.com
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-20 14:40 . 2010-04-20 14:40 -------- d-----w- c:\users\Zsolt\AppData\Local\temp
2010-04-20 14:40 . 2010-04-20 14:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-20 14:29 . 2010-04-20 14:30 -------- d-----w- C:\32788R22FWJFW
2010-04-20 08:53 . 2010-04-20 14:14 -------- d-sh--w- c:\users\Zsolt\AppData\Roaming\lowsec
2010-04-19 16:38 . 2010-04-19 16:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-19 16:37 . 2010-04-19 16:37 -------- d-----w- c:\programdata\Hitman Pro
2010-04-19 16:37 . 2010-04-19 16:37 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-18 10:36 . 2010-04-18 10:36 36488 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-04-16 07:53 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-14 17:20 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 17:20 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 17:20 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 17:20 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 17:20 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 17:20 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 15:53 . 2010-04-14 15:53 -------- d-----w- c:\users\Zsolt\AppData\Local\Apple
2010-04-14 14:01 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 14:01 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 21:02 . 2010-04-17 10:47 -------- d-----w- c:\users\Zsolt\AppData\Local\Adobe
2010-04-13 16:48 . 2010-04-13 16:48 -------- d-----w- c:\users\Zsolt\AppData\Local\Apple Computer
2010-04-07 09:38 . 2009-10-31 06:00 2614272 ------w- c:\windows\explorer.exe
2010-04-06 23:23 . 2010-04-06 23:23 -------- d-----w- c:\program files\iPod
2010-04-06 23:19 . 2010-04-06 23:20 -------- d-----w- c:\program files\QuickTime
2010-04-06 23:17 . 2010-04-06 23:17 -------- d-----w- c:\program files\Apple Software Update
2010-04-05 22:19 . 2010-04-05 22:19 -------- d-----w- C:\rsit
2010-04-05 21:10 . 2010-04-05 21:10 -------- d-----w- c:\program files\CCleaner
2010-04-05 20:06 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-04-05 19:55 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 19:55 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 14:03 . 2010-04-05 14:03 -------- d-----w- c:\program files\ESET
2010-04-04 20:03 . 2010-04-04 20:03 -------- d-----w- c:\program files\Trend Micro
2010-04-04 17:32 . 2010-04-04 17:32 -------- d-----w- c:\users\Zsolt\AppData\Roaming\Malwarebytes
2010-04-04 17:32 . 2010-04-05 19:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:32 . 2010-04-04 17:32 -------- d-----w- c:\programdata\Malwarebytes
2010-04-03 20:52 . 2010-04-05 18:16 -------- d-----w- c:\program files\Unlocker
2010-04-03 18:41 . 2010-04-03 18:41 -------- d-----w- c:\windows\Sun
2010-04-02 20:22 . 2010-04-05 18:16 -------- d-----w- c:\program files\7-Zip
2010-04-02 20:14 . 2010-04-05 18:16 -------- d-----w- c:\users\Zsolt\AppData\Roaming\BitTorrent
2010-04-01 19:50 . 2010-04-05 18:16 -------- d-----w- c:\program files\Adobe Media Player
2010-04-01 19:50 . 2010-04-01 19:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-01 19:46 . 2010-04-01 19:46 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-04-01 17:56 . 2010-04-01 17:57 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-26 00:48 . 2010-03-26 00:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 08:54 . 2009-12-03 21:16 117760 ----a-w- c:\users\Zsolt\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-19 17:36 . 2009-10-25 23:23 108744 ----a-w- c:\users\Zsolt\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-19 16:31 . 2009-10-27 20:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-18 10:37 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-06 23:23 . 2010-02-12 16:43 -------- d-----w- c:\program files\iTunes
2010-04-06 23:23 . 2009-10-26 16:36 -------- d-----w- c:\program files\Common Files\Apple
2010-04-06 23:16 . 2009-10-26 16:37 -------- d-----w- c:\program files\Bonjour
2010-04-05 21:16 . 2010-02-13 09:58 -------- d-----w- c:\program files\McAfee
2010-04-05 20:48 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-05 20:22 . 2009-10-26 14:20 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-05 20:04 . 2009-12-03 21:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 19:33 . 2010-03-03 20:01 -------- d-----w- c:\program files\Opera
2010-04-05 18:16 . 2009-10-26 14:20 -------- d-----w- c:\users\Zsolt\AppData\Roaming\Thunderbird
2010-04-05 18:16 . 2010-02-13 10:08 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-05 18:15 . 2009-10-26 16:38 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-08 20:06 . 2009-12-02 20:44 -------- d-----w- c:\users\Zsolt\AppData\Roaming\HpUpdate
2010-03-02 18:46 . 2010-03-02 18:46 -------- d-----w- c:\users\Zsolt\AppData\Roaming\HPAppData
2010-03-01 21:35 . 2010-03-01 19:07 23112 ----a-w- c:\windows\hpqins15.dat
2010-02-24 09:16 . 2009-10-25 22:45 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 20:10 . 2010-02-17 20:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-12 17:19 . 2009-12-18 09:10 52224 ----a-w- c:\users\Zsolt\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 10:46 . 2010-02-12 10:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 10:46 . 2010-02-12 10:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 14:55 . 2010-02-17 19:29 12800 ----a-w- c:\users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
2010-02-02 21:27 . 2010-01-19 20:31 1923864 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-02-02 21:10 . 2010-01-19 20:31 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2010-02-02 07:45 . 2010-02-23 18:48 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-28 19:22 . 2009-12-15 22:03 1923864 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-01-23 16:06 . 2009-12-15 22:02 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-07_22.04.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-14 17:20 . 2010-02-27 07:33 95744 c:\windows\winsxs\x86_microsoft-windows-smb20-minirdr_31bf3856ad364e35_6.1.7600.20655_none_8b5b5c1a041ebcac\mrxsmb20.sys
+ 2010-04-14 17:20 . 2010-02-27 07:32 95744 c:\windows\winsxs\x86_microsoft-windows-smb20-minirdr_31bf3856ad364e35_6.1.7600.16539_none_8aeb604eeaed4a5c\mrxsmb20.sys
+ 2009-10-27 08:59 . 2010-04-20 14:35 42122 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-04-20 14:35 38638 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-10-25 22:38 . 2010-04-20 13:38 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-12 14:43 . 2010-04-16 15:35 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2010-04-18 18:53 . 2010-04-18 18:53 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010041820100419\index.dat
+ 2010-04-15 18:15 . 2010-04-15 18:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010041520100416\index.dat
+ 2010-04-15 18:15 . 2010-04-15 18:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010040520100412\index.dat
+ 2009-07-14 04:41 . 2010-04-20 13:38 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-07 09:40 . 2010-04-07 09:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-04-07 09:40 . 2010-04-18 16:32 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:34 . 2010-04-18 13:13 78976 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-04-19 21:22 . 2010-04-19 17:36 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-19 21:22 . 2010-04-19 17:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2010-04-19 21:22 . 2010-04-19 17:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-30 14:16 . 2010-04-20 14:12 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-30 14:16 . 2010-04-07 22:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-30 14:16 . 2010-04-20 14:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-10-30 14:16 . 2010-04-07 22:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-10-30 14:16 . 2010-04-20 14:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-10-30 14:16 . 2010-04-07 22:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-25 22:48 . 2010-04-20 14:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-25 22:48 . 2010-04-07 22:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-21 20:09 . 2009-12-21 20:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 01:57 . 2009-12-22 01:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-21 20:02 . 2009-12-21 20:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-21 23:21 . 2009-12-21 23:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-21 23:37 . 2009-12-21 23:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 18:39 . 2009-12-21 18:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 18:27 . 2009-12-21 18:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 18:27 . 2009-12-21 18:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
+ 2009-10-25 22:49 . 2010-04-20 14:35 8422 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-261453740-1934816615-1763482817-1001_UserData.bin
+ 2010-04-20 14:34 . 2010-04-20 14:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-07 21:40 . 2010-04-07 22:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-07 21:40 . 2010-04-07 22:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-20 14:34 . 2010-04-20 14:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-14 14:01 . 2009-12-29 07:11 172032 c:\windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7600.20605_none_f064afe014413504\wintrust.dll
+ 2010-04-14 14:01 . 2009-12-29 06:55 172032 c:\windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7600.16493_none_ef77c14efb6e60de\wintrust.dll
+ 2010-04-14 17:20 . 2010-02-27 07:33 123392 c:\windows\winsxs\x86_microsoft-windows-smbminirdr_31bf3856ad364e35_6.1.7600.20655_none_8011d3b3cb764ad9\mrxsmb.sys
+ 2010-04-14 17:20 . 2010-02-27 07:32 123392 c:\windows\winsxs\x86_microsoft-windows-smbminirdr_31bf3856ad364e35_6.1.7600.16539_none_7fa1d7e8b244d889\mrxsmb.sys
+ 2010-04-14 17:20 . 2010-02-27 07:33 221696 c:\windows\winsxs\x86_microsoft-windows-smb10-minirdr_31bf3856ad364e35_6.1.7600.20655_none_8924f207c5c7893b\mrxsmb10.sys
+ 2010-04-14 17:20 . 2010-02-27 07:32 221696 c:\windows\winsxs\x86_microsoft-windows-smb10-minirdr_31bf3856ad364e35_6.1.7600.16539_none_88b4f63cac9616eb\mrxsmb10.sys
+ 2010-04-14 17:20 . 2010-03-08 21:39 427520 c:\windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.20662_none_48cc9903a84aaeeb\vbscript.dll
+ 2010-04-14 17:20 . 2010-03-08 21:33 427520 c:\windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.16546_none_485c9d388f193c9b\vbscript.dll
+ 2010-04-14 14:01 . 2010-01-09 06:49 132608 c:\windows\winsxs\x86_microsoft-windows-cabview_31bf3856ad364e35_6.1.7600.20613_none_38abfbd35bb8e7a9\cabview.dll
+ 2010-04-14 14:01 . 2010-01-09 06:52 132608 c:\windows\winsxs\x86_microsoft-windows-cabview_31bf3856ad364e35_6.1.7600.16500_none_382a2e164295dfe9\cabview.dll
+ 2010-04-16 07:53 . 2010-02-11 06:53 293376 c:\windows\winsxs\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.20641_none_62973696e76475c9\browserchoice.exe
+ 2010-04-16 07:53 . 2010-02-11 07:10 293376 c:\windows\winsxs\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.16526_none_62283b15ce321cd0\browserchoice.exe
+ 2009-10-26 20:54 . 2010-04-20 13:14 280588 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 02:05 . 2010-04-20 14:39 619206 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-04-07 21:45 619206 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-04-07 21:45 107388 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2010-04-20 14:39 107388 c:\windows\System32\perfc009.dat
+ 2009-07-14 04:33 . 2010-04-19 17:36 408848 c:\windows\System32\FNTCACHE.DAT
- 2009-07-14 04:33 . 2010-02-13 11:29 408848 c:\windows\System32\FNTCACHE.DAT
+ 2009-10-25 22:40 . 2010-04-20 14:04 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-10-25 22:40 . 2010-04-07 21:40 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-10-25 22:38 . 2010-04-20 13:20 950272 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-21 18:35 . 2009-12-21 18:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-21 18:34 . 2009-12-21 18:34 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-09 19:18 . 2009-11-09 19:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-21 20:02 . 2009-12-21 20:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-21 18:43 . 2009-12-21 18:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 01:57 . 2009-12-22 01:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 18:15 . 2009-12-21 18:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 19:32 . 2009-12-21 19:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-21 19:15 . 2009-12-21 19:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2010-04-14 17:20 . 2010-02-27 11:46 3899784 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20655_none_6cb0c81f2e7bee1e\ntoskrnl.exe
+ 2010-04-14 17:20 . 2010-02-27 11:46 3954568 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20655_none_6cb0c81f2e7bee1e\ntkrnlpa.exe
+ 2010-04-14 17:20 . 2010-02-27 12:07 3899280 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16539_none_6c40cc54154a7bce\ntoskrnl.exe
+ 2010-04-14 17:20 . 2010-02-27 12:07 3954568 c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16539_none_6c40cc54154a7bce\ntkrnlpa.exe
+ 2009-07-14 02:03 . 2010-04-20 13:24 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:03 . 2010-04-07 09:42 6815744 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 04:34 . 2010-04-06 10:01 3837380 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:34 . 2010-04-16 15:21 3837380 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-12-21 18:29 . 2009-12-21 18:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-21 23:31 . 2009-12-21 23:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2009-07-14 07:18 . 2010-04-16 07:53 17537597 c:\windows\winsxs\ManifestCache\e4e8be02b8fae2a7_blobs.bin
+ 2009-10-25 22:45 . 2010-04-06 17:52 31971272 c:\windows\System32\MRT.exe
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\2a1fb.msp
+ 2009-12-21 23:21 . 2009-12-21 23:21 20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-05 2010864]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Google Update"="c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-06 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-29 1086856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Zsolt^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Zsolt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-14 18:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-20 12872]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-20 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-20 66632]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-04 172032]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2009-12-14 93320]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001Core.job
- c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-06 11:25]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001UA.job
- c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-06 11:25]

2009-10-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 12:22]

2009-10-26 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Zsolt\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.bpbz.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccessc:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-20 15:41:55
ComboFix-quarantined-files.txt 2010-04-20 14:41
ComboFix2.txt 2010-04-07 22:08

Pre-Run: 44,340,236,288 bytes free
Post-Run: 44,159,954,944 bytes free

- - End Of File - - 709352EC987EF777A69C42D772F61958
***************************************************

I also ran Malwarebyte's quick scan afterwards and found 4 backdoor.bots in registry keys. (Unfortunately, I didn't save the log) and strangely SuperAntispyware found 122 adware tracking cookies. (I was desperate, thinking I try everything again before I would do a full reinstall.)

Thank god, there's no redirection occuring at this moment in Firefox or Opera. Fingers crossed, it stays this way.

In any case big THANKs for all your help, I report back tomorrow, hopefully with good news.

cobo
 
Hi peku,

Hopefully this is my final post, just to thank you again for all your help.

The pc works fine with no hijackings.

Thanks again,
cobo
 
Hi cobo

great to hear that everything works,but we will run one online scan to be sure that there is nothing left

1 - Clean temp files

  • Please download TFC to your desktop
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click Yes to reboot.

NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go here then click on:
    EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on:
    EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:
    EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
    EOLS4.gif
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scannner report
2. a fresh HijackThis log

Thanks peku006
 
Hello peku,

The eset log:

C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir Win32/Olmarik.XG trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\d7d440d-4eb259bc Java/TrojanDownloader.Agent.NAM trojan
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys Win32/Olmarik.XG trojan
D:\Documents\Old net downloads\sdax2101.exe Win32/Adware.WhenU.SaveNow application
D:\Documents\Received files\DigitalSmart-Audio-Recorder-for-FREE-Installer.EXE Win32/Adware.WhenU.SaveNow application
D:\Peter\Levelek\mail.btinternet.com\Inbox a variant of Win32/HackTool.Patcher.A application
D:\Peter\Levelek\mail.btinternet.com\Sent a variant of Win32/HackTool.Patcher.A application


********************************************************

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:35:53, on 23/04/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
C:\Windows\system32\taskhost.exe
D:\Peter\Trojaiellenes\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 5953 bytes


*********************************************

The pc works fine, the only strange thing I would is that sometimes the 'hide extensions for known filetypes' gets switched on so I cannot see the extensions. I don't know what might trigger that.

Thanks,

cobo
 
Hi cobo

I'd like you to check a file for Viruses.
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
Click to expand...
  • Copy/Paste file into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Copy and Paste results in your next reply.

Thanks peku006
 
Sorry for the late response, just got back.

The result doesn't look good, however I had no problem w/ the pc nor had any google redirections recently.

Virustotal:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.26 Rootkit.Patched.TDSS!IK
AhnLab-V3 5.0.0.2 2010.04.26 -
AntiVir 8.2.1.224 2010.04.26 TR/Patched.Gen
Antiy-AVL 2.0.3.7 2010.04.26 -
Authentium 5.2.0.5 2010.04.26 -
Avast 4.8.1351.0 2010.04.26 Win32:Alureon-FZ
Avast5 5.0.332.0 2010.04.26 Win32:Alureon-FZ
AVG 9.0.0.787 2010.04.26 Win32/Patched.DO
BitDefender 7.2 2010.04.26 Rootkit.Patched.TDSS.Gen
CAT-QuickHeal 10.00 2010.04.26 -
ClamAV 0.96.0.3-git 2010.04.26 -
Comodo 4684 2010.04.26 TrojWare.Win32.Rootkit.TDL3.gen
DrWeb 5.0.2.03300 2010.04.26 BackDoor.Tdss.2459
eSafe 7.0.17.0 2010.04.26 -
eTrust-Vet 35.2.7452 2010.04.26 Win32/Alureon.A!generic
F-Prot 4.5.1.85 2010.04.26 -
F-Secure 9.0.15370.0 2010.04.26 Rootkit.Patched.TDSS.Gen
Fortinet 4.0.14.0 2010.04.26 -
GData 21 2010.04.26 Rootkit.Patched.TDSS.Gen
Ikarus T3.1.1.80.0 2010.04.26 Rootkit.Patched.TDSS
Jiangmin 13.0.900 2010.04.26 Rootkit.TDSS.dgu
Kaspersky 7.0.0.125 2010.04.26 Rootkit.Win32.TDSS.ap
McAfee 5.400.0.1158 2010.04.26 -
McAfee-GW-Edition 6.8.5 2010.04.26 Trojan.Patched.Gen
Microsoft 1.5703 2010.04.26 Virus:Win32/Alureon.H
NOD32 5063 2010.04.26 Win32/Olmarik.XG
Norman 6.04.11 2010.04.26 W32/tdss.drv.gen8
nProtect 2010-04-26.01 2010.04.26 -
Panda 10.0.2.7 2010.04.26 -
PCTools 7.0.3.5 2010.04.26 -
Prevx 3.0 2010.04.26 -
Rising 22.45.00.04 2010.04.26 RootKit.Win32.TDSS.c
Sophos 4.53.0 2010.04.26 Mal/TDSSRt-A
Sunbelt 6224 2010.04.26 LooksLike.Win32.PatchedDriver!A (v)
Symantec 20091.2.0.41 2010.04.26 Backdoor.Tidserv.I!inf
TheHacker 6.5.2.0.269 2010.04.26 -
TrendMicro 9.120.0.1004 2010.04.26 Mal_TIDIES-12
TrendMicro-HouseCall 9.120.0.1004 2010.04.26 Mal_TIDIES-12
VBA32 3.12.12.4 2010.04.26 Rootkit.Win32.TDSL.b
ViRobot 2010.4.26.2294 2010.04.26 -
VirusBuster 5.0.27.0 2010.04.26 Rootkit.TDSS.Gen.3

Additional information
File size: 187904 bytes
MD5...: 0d9e7588f1089734832aceffbfaaf884
SHA1..: 0f570d22545e4d9de5eaf618026f31bf3800f0e4
SHA256: 9232b0022e12646ce57457794a08aaae65a22bb2e712eb106ff952abbdd81d4d
ssdeep: 3072:d7elIe/0mrp1wWvLOMWoyCeJ4//E+7mslheiHsI/U+owztYcegkZq9lz7VO<br>fy+1p:K9cappLOMWoydJ4nE+a6hgiU+dOgaq9O<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x2e014<br>timedatestamp.....: 0x4a5bbf52 (Mon Jul 13 23:12:18 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x1e656 0x1e800 6.49 ba5084120dd07f16c1ba33eb035625ce<br>.rdata 0x20000 0x854 0xa00 4.56 26497c5bfb7fa93991620b7464f15ef4<br>.data 0x21000 0xfb0 0x400 2.16 94e6609e081ef253f983d213d297e2d8<br>PAGE 0x22000 0x8fcb 0x9000 6.42 b887dc652c56e0d83a39faee8e8f9012<br>PAGENBT 0x2b000 0x7a1 0x800 6.33 b850b7c5ce70ad8043ee3fb426e041f7<br>INIT 0x2c000 0x1c6c 0x1e00 6.00 e96d0319094a90d19b48b3084ee49842<br>.rsrc 0x2e000 0x5c8 0x600 6.19 1b280edfc6646b683dfcc8745510b414<br>.reloc 0x2f000 0x2618 0x2800 6.70 062b35fc021a4250b95a1e20e06d11cd<br><br>( 5 imports ) <br>> ntoskrnl.exe: RtlFreeOemString, RtlUpcaseUnicodeStringToOemString, RtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, RtlOemStringToUnicodeString, RtlInitString, MmMapLockedPagesSpecifyCache, RtlAppendStringToString, RtlInitAnsiString, strchr, ExDeleteNPagedLookasideList, InterlockedPopEntrySList, InterlockedPushEntrySList, ExInitializeNPagedLookasideList, KeCancelTimer, ZwClose, ZwCancelTimer, ZwSetTimer, ZwCreateTimer, _aulldiv, _allmul, IofCallDriver, IoBuildDeviceIoControlRequest, ObfReferenceObject, IoGetDeviceObjectPointer, RtlInitUnicodeString, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, KeSetTimer, KeInitializeDpc, KeInitializeTimer, IoWMIWriteEvent, MmGetSystemRoutineAddress, IoWMIRegistrationControl, IoDeleteDevice, KeDelayExecutionThread, KeClearEvent, ExDeleteResourceLite, IoGetRelatedDeviceObject, RtlCopyUnicodeString, memchr, ZwReadFile, ZwQueryInformationFile, KeEnterCriticalRegion, ZwCreateFile, ObReferenceObjectByHandle, IofCompleteRequest, ZwDeviceIoControlFile, ZwCreateEvent, ZwCreateKey, ExfInterlockedPushEntryList, ExQueueWorkItem, IoFreeWorkItem, IoCancelIrp, IoFileObjectType, IoRemoveShareAccess, SeAssignSecurity, IoSetShareAccess, IoCheckShareAccess, SeAccessCheck, MmUserProbeAddress, IoQueueWorkItem, IoAllocateWorkItem, KeInsertQueueDpc, RtlCompareUnicodeString, _vsnprintf, RtlExtendedMagicDivide, ZwWaitForSingleObject, MmBuildMdlForNonPagedPool, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, RtlGUIDFromString, RtlIpv4AddressToStringW, RtlAppendUnicodeToString, ZwOpenKey, ZwQueryValueKey, memmove, IoBuildPartialMdl, MmUnmapLockedPages, MmLockPagableDataSection, KeTickCount, KeBugCheckEx, RtlUnwind, ExAcquireResourceExclusiveLite, ExReleaseResourceLite, KeLeaveCriticalRegion, strncmp, memset, memcpy, IoFreeIrp, IoAllocateIrp, RtlIpv4StringToAddressA, SeDeassignSecurity, _alldiv, RtlGetCallersAddress, RtlExtendedLargeIntegerDivide, KeInitializeSemaphore, IoAllocateMdl, ExfInterlockedInsertHeadList, PsGetCurrentProcess, KeAttachProcess, KeDetachProcess, ExfInterlockedInsertTailList, ObfDereferenceObject, IoFreeMdl, KeWaitForSingleObject, KeResetEvent, KeSetEvent, _stricmp, KeGetCurrentThread, ExSystemTimeToLocalTime, KeInitializeEvent, strrchr, ExInitializeResourceLite, RtlGetVersion, RtlCompareMemory, KeQuerySystemTime, KefReleaseSpinLockFromDpcLevel, KefAcquireSpinLockAtDpcLevel, IoAcquireCancelSpinLock, NtWaitForSingleObject, IoReleaseCancelSpinLock, ExAllocatePoolWithTag, RtlFreeUnicodeString, ExFreePoolWithTag, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, IoCreateDevice, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, RtlAddAccessAllowedAce, RtlLengthSid, wcschr, RtlAbsoluteToSelfRelativeSD, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ZwSetValueKey<br>> HAL.dll: KfAcquireSpinLock, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, KfReleaseSpinLock<br>> TDI.SYS: TdiEnumerateAddresses, TdiPnPPowerComplete, TdiDeregisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiRegisterNetAddress, TdiProviderReady, TdiInitialize, TdiRegisterProvider, TdiRegisterPnPHandlers, TdiMapUserRequest, TdiDeregisterPnPHandlers, TdiDeregisterProvider, TdiDefaultRcvExpeditedHandler, TdiDefaultConnectHandler, TdiDefaultDisconnectHandler, TdiDefaultErrorHandler, TdiDefaultReceiveHandler, TdiDefaultSendPossibleHandler, TdiCopyMdlToBuffer, TdiCopyBufferToMdl, TdiDefaultRcvDatagramHandler, TdiBuildNetbiosAddress, TdiPnPPowerRequest<br>> NETIO.SYS: NsiRegisterChangeNotification, NsiGetParameter, NsiAllocateAndGetTable, NsiFreeTable, NsiSetAllParameters, NsiGetAllParameters, NsiDeregisterChangeNotification<br>> NDIS.SYS: NdisGetThreadObjectCompartmentId, NdisSetThreadObjectCompartmentId<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)<br>Generic Win/DOS Executable (15.9%)<br>DOS Executable Generic (15.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

Thanks,
cobo
 
Hi cobo

Download OTM by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Paste the following code under the
    pasteline.png
    area. Do not include the word Code.
Code: 
:Files
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Push the large
    btnmoveit.png
    button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Thanks peku006
 
Hi peku,

It didn't ask for reboot, here's the log:

========== FILES ==========
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys moved successfully.

OTM by OldTimer - Version 3.1.11.0 log created on 04272010_112259


Thanks,
cobo
 
Hi cobo

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 <== empty this folder

After that.............

Your log now appears to be clean. Congratulations!

To remove all of the tools we used and the files and folders they created do the following:

Delete GooredFix ,gmer, SystemLook, CKScanner ,TDSSKiller and RootRepeal from your desktop.

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Here are some things that I think are worth having a look at if you don't already know a bout them:.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or Opera

Here is a great article by miekiemoes How to prevent Malware.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

peku006
 
You must log in or register to reply here.
Back
Top