Rootkit.Win32.TDSS.tdl4 that won't go away?

Recommended Posts

Apologize for the repeat posts... I'm getting a connection error when I submit, and then for some reason my post goes through anyway but is truncated? IE8 won't post it at all, and Firefox keeps posting truncated versions. Any ideas? I'm not a moron, I promise!

Hello all, thanks in advance for any help you can provide! First time poster...

In the last week, I've noticed when I have IE8 up, maybe a few times an hour, I'll get a random popup window even when I'm not doing anything. I run Zone Alarm and AVG 9.0, and occasionally run MBAM. I am savvy enough to know not to download anything suspicious from a website, etc. In short, I think I'm pretty darn careful! So I virtually never have problems with viruses or spyware thaAttach.zipt aren't immediately caught and disposed of. But this thing I have now: AVG doesn't catch it. MBAM doesn't catch it. Before coming here, I tried TDSSKiller and ComboFix, both of which flag something suspicious (Rootkit.Win32.TDSS.tdl4 in \HardDisk0\MBR it seems)... but for all their running, "curing," and rebooting... the infection continues to show up as though they had no effect.

The popups are annoying, but my main concern of course is the theft of info, passwords, etc. so I want to squash this ASAP. I followed the instructions on the "pinned" post as best I could:

1) Ran MBAM and found nothing.

2) Ran AVG 9.0 and found nothing.

3) Ran DeFogger successfully.

4) Ran DDS successfully.

5) Several attempts to run GMER Rootkit Scanner have caused my machine to immediately reboot after about 10 minutes, and I don't see a log to see how far it's even getting. So I have yet to have a successful complete run of it, nor to produce the requested "ark" file.

Here is the DDS file:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 11:24:08.98 on Sat 09/04/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.97 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe


C:\Program Files\AVG\AVG9\avgcsrvx.exe







C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgnsx.exe


C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe




C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe


C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install



mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

Share this post

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.




One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not which appears to be an older version of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller. will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Share this post

Link to post
Share on other sites

Thank you very much for responding to me, Elise!

As it happens, while waiting for the reponse, I updated and ran another virus scan with AVG 9.0, and this time it caught it! It detected "Trojan Horse Adload_r.AKH" but couldn't remove it because the infected files were in use: explorer.exe, svchost.exe, etc.

After some research, I found some pointers to Hitman Pro 3.5, but when I tried to get to CNET or other sites to download it, I suddenly started getting redirects that were preventing me from reaching the sites! I was able to get to it with Firefox, and one run from the latest Hitman Pro detected it, and removed it on one reboot. After that, AVG and TDSSKiller find no issues. The redirect problem is gone too. It seems like all is well, but is there something I should run and provide you with for an "all clear?"

As far as 1) reformatting me drive or 2) cancelling all credit cards and bank accounts... ugh! Sounds like a nightmare, but I can understand what you're saying. My PC has been connected for almost a week with this infection, so who knows what they could have stolen or planted. :)

Share this post

Link to post
Share on other sites

Since you are dealing here with more than one infection, I strongly recommend you to continue making sure everything is clean if you don't want to reformat. Lack of symptoms does not always mean everything is gone.



Please download ComboFix from one of these locations:


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Share this post

Link to post
Share on other sites

Thank you, here is the ComboFix log:

ComboFix 10-09-04.06 - Owner 09/05/2010 4:27.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.120 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}


((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))


2010-09-05 05:37 . 2010-09-05 05:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-09-05 05:27 . 2010-09-05 05:45 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-09-05 05:25 . 2010-09-05 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-09-05 05:25 . 2010-09-05 05:25 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-09-05 04:57 . 2010-09-05 04:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-09-05 00:38 . 2010-09-05 00:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AVG Security Toolbar

2010-09-04 10:36 . 2010-09-04 10:37 -------- d-----w- C:\TDSSKiller_Quarantine

2010-09-02 22:12 . 2010-09-05 04:55 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-17 03:03 . 2010-08-17 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2010-09-03 18:34 . 2009-01-29 09:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-02 15:27 . 2008-12-02 08:22 34410701 ----a-w- c:\windows\Internet Logs\

2010-08-30 09:51 . 2010-08-31 07:41 1832960 ----a-w- c:\windows\Internet Logs\xDB2E.tmp

2010-08-26 08:27 . 2010-08-26 15:37 1825792 ----a-w- c:\windows\Internet Logs\xDB2D.tmp

2010-08-25 08:37 . 2009-06-09 09:21 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent

2010-08-21 03:11 . 2010-08-21 05:55 1823744 ----a-w- c:\windows\Internet Logs\xDB2C.tmp

2010-08-20 21:07 . 2010-07-24 09:28 -------- d-----w- c:\program files\Puran Defrag

2010-08-16 09:14 . 2010-08-17 01:57 1805312 ----a-w- c:\windows\Internet Logs\xDB2B.tmp

2010-08-13 03:14 . 2010-08-13 03:15 1798656 ----a-w- c:\windows\Internet Logs\xDB2A.tmp

2010-08-08 12:25 . 2010-08-08 18:37 1753088 ----a-w- c:\windows\Internet Logs\xDB29.tmp

2010-08-01 12:26 . 2010-08-01 18:58 1739776 ----a-w- c:\windows\Internet Logs\xDB28.tmp

2010-07-24 07:40 . 2010-07-24 07:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Auslogics

2010-07-24 07:40 . 2010-07-24 07:40 -------- d-----w- c:\program files\Auslogics

2010-07-20 16:02 . 2010-07-21 02:00 3202560 ----a-w- c:\windows\Internet Logs\xDB26.tmp

2010-07-20 15:57 . 2010-07-21 02:00 3202048 ----a-w- c:\windows\Internet Logs\xDB27.tmp

2010-07-17 18:12 . 2009-06-09 09:21 -------- d-----w- c:\program files\uTorrent

2010-07-16 16:34 . 2008-05-25 19:30 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-16 16:34 . 2010-07-16 16:34 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-16 16:33 . 2008-05-25 19:30 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-11 10:25 . 2010-07-11 17:41 3162624 ----a-w- c:\windows\Internet Logs\xDB25.tmp

2010-07-02 16:36 . 2007-11-14 03:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-06-30 12:31 . 2003-03-31 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 20:51 . 2008-12-17 10:43 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2010-06-23 20:51 . 2009-04-03 04:46 69120 ----a-w- c:\windows\system32\zlcomm.dll

2010-06-23 20:51 . 2009-04-03 04:46 103936 ----a-w- c:\windows\system32\zlcommdb.dll

2010-06-23 13:44 . 2003-06-04 15:22 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2003-03-28 16:54 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2003-03-31 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-17 07:54 . 2010-06-17 07:54 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c6a2974-n\msvcp71.dll

2010-06-17 07:54 . 2010-06-17 07:54 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c6a2974-n\jmc.dll

2010-06-17 07:54 . 2010-06-17 07:54 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c6a2974-n\msvcr71.dll

2010-06-17 07:54 . 2010-06-17 07:54 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4e13691d-n\decora-sse.dll

2010-06-17 07:54 . 2010-06-17 07:54 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4e13691d-n\decora-d3d.dll

2010-06-17 07:53 . 2010-06-17 07:53 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-15 03:24 . 2010-06-15 04:46 924672 ----a-w- c:\windows\Internet Logs\xDB24.tmp

2010-06-14 14:31 . 2007-11-13 01:49 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll


((((((((((((((((((((((((((((( SnapShot@2010-09-04_08.55.51 )))))))))))))))))))))))))))))))))))))))))


+ 2010-09-05 05:44 . 2010-09-05 05:44 16384 c:\windows\Temp\Perflib_Perfdata_560.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 17:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]



"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"nwiz"="nwiz.exe" [2008-05-16 1630208]

"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-13 155648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-07 1496968]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-16 16:34 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

2008-05-02 04:15 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WUSB54Gv2]

2004-04-19 17:19 24576 ----a-w- c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WUSB54Gv2SVC"=2 (0x2)

"PrismXL"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]




"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=


R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/25/2008 12:30 PM 216400]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/25/2008 12:30 PM 243024]

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [5/9/2009 4:13 PM 57344]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:34 AM 308136]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [8/16/2010 8:03 PM 430152]

S3 USB-100;USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\USBKR100.SYS [11/12/2007 7:09 PM 27519]

S4 I2odavaygan;I2odavaygan; [x]

S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [7/24/2010 2:28 AM 229376]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper


Contents of the 'Scheduled Tasks' folder

2010-05-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-01-07 19:23]

2010-09-05 c:\windows\Tasks\SyncToy.job

- c:\documents and settings\Owner\Start Menu\Programs\Utilities\SyncToy.lnk [2007-11-17 03:00]



------- Supplementary Scan -------


uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\evlzn09j.default\

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

Rootkit scan 2010-09-05 04:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0



--------------------- LOCKED REGISTRY KEYS ---------------------


@Denied: (A 2) (Everyone)










@Denied: (A 2) (Everyone)








--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2168)








Completion time: 2010-09-05 04:38:48

ComboFix-quarantined-files.txt 2010-09-05 11:38

ComboFix2.txt 2010-09-05 11:17

ComboFix3.txt 2010-09-04 09:01

Pre-Run: 5,873,029,120 bytes free

Post-Run: 5,858,779,136 bytes free

- - End Of File - - CB36C0DBB78AFCDE68CC504F538248E6

Share this post

Link to post
Share on other sites

That is looking better. :blink:



Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Please launch MBAM and update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Share this post

Link to post
Share on other sites

Thanks again, Elise!

I did as instructed. I had a problem getting rid of one of my old Java JRE's, but I Google'd it and saw it's not an uncommon problem to have trouble unistalling it. I deleted its directories and the registry entry for it in Add/Remove Programs, and it looks like that might be as good as it's gonna get. I installed the newest Java, and then ran a ful MBAM scan. The log shows this:

Malwarebytes' Anti-Malware 1.46

Database version: 4551

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/5/2010 1:58:20 PM

mbam-log-2010-09-05 (13-58-20).txt

Scan type: Full scan (C:\|F:\|G:\|H:\|)

Objects scanned: 321527

Time elapsed: 1 hour(s), 30 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

G:\JM\jokeapps\gvra.exe (Joke.VV) -> Quarantined and deleted successfully.

G:\sketch\IBP v2.1.0.2\patch.exe (Malware.NSPack) -> Quarantined and deleted successfully.

These two infected files have been removed, but I wasn't too worried about them to begin with. The first one I've had on my PCs over the years for the past decade with no trouble, and I rarely if ever opened it. The second one I had never executed. So no big loss. How's it looking now? I understand at some point I need ot uninstall ComboFix and re-run DeFogger?

P.S. Since running Hitman Pro 3.5, I have had no problems posting to this board. I wonder if the redirect infection was interfering with me posting here?

Thanks again!

Share this post

Link to post
Share on other sites

Hi, the infection was indeed causing your posting issues. This is practically a give-away of the infection you had. :blink:

Lets do one last scan before calling it clean. You can re-enable any CD emulators with Defogger now.



I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Share this post

Link to post
Share on other sites

Very interesting how different scanners find different things! This ESET online scan found 18 infections!

I wasn't sure what it was going to find, so I deselected the option to automatically remove files. I wanted to see them first, and then I removed them manually myself. About half of them were in: C:\Documents and Settings\***\Application Data\Sun\Java\Deployment\cache, and those were all over a year old.

The rest were various applications and utilities I've downloaded over the years and used (without obvious issues), but just the same I'm deleting those and will re-run ESET. I'll let you know how it goes. Thank you!

P.S. Is it safe to uninstall ComboFix and if so, are there special instructions for that?

Thank you, Elise!

Share this post

Link to post
Share on other sites

Hi, ESET is an antivirus scanner which is why it detects slightly different. None of what you mention is out of the ordinary though. ESET has a tendency to recognize some tools as malware.



Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :blink:

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and OTL.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Share this post

Link to post
Share on other sites

Thanks for all your help, Elise! Things seem to be back to normal over here.

I am normally pretty careful and vigilant when it comes to this stuff. My theory is that I tried IE8's "in private" browsing feature for a few days last week thinking it might make me safer. But what I think I learned later was that part of that feature is that it -- by default -- diables all your browser plugins, including the AVG 9.0 antivirus plugin that normally catches stuff for me. So here I thought I was being safer, but instead was maybe actually exposing myself! Don't know if my logic is sound there, but that's the only thing I did differently around the time I caught this virus...

Thanks again!

Share this post

Link to post
Share on other sites

Hi, to be honest, a browser plug in doesn't make browsing necessarily safer. Safe browsing behavior is just as important. Malware is evolving every day and often has ways to infiltrate a computer before an AV products knows how to encounter it. Read also the "So How did I Get Infected" link from my last post.

Please let me know if you have any other questions or if this topic can be closed.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.