Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I need help with a potential Trojan Infestation!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I need help with a potential Trojan Infestation!

Unread postby RasKhalif » July 4th, 2012, 5:42 pm

My son's laptop was just provided with internet recently through a wireless router. recently he started getting Norton pop ups saying Trojan.Gen.2 has been blocked . Then another comes up saying Trojan.Zeroaccess.B has been blcoked and AVG says Trojan horse patched_c_LYT mu\ltiple threat detection. When I havedoen multiple scans it says no friles infected but I keep getting these pop ups regfularly indicating to me from past experience something might be going on in the background. My DDS logs are below Please HELP!!!

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19272
Run by user at 17:05:53 on 2012-07-04
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3571.778 [GMT -4:00]
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe
C:\Program Files\Norton Security Suite\Engine\\ccSvcHst.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\SFT\GuardedID\GIDD.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Constant Guard Protection Suite\IDVault.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\xfin_portal\CIDGlobalLight.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Windows\System32\svchost.exe" -k LocalServiceDns
"C:\Windows\System32\svchost.exe" -k LocalServiceDns
============== Pseudo HJT Report ===============
uStart Page = hxxp://xfinity.comcast.net/
uWindow Title = Internet Explorer provided by Dell
mStart Page = hxxp://start.funmoods.com/?f=1&a=fmtoby ... =948823281
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\\ips\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Funmoods Helper Object: {75ebb0aa-4214-4cb4-90ec-e3e07ecd04f7} - c:\progra~1\funmoods\\bh\escort.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Constant Guard Protection Suite (COM): {b84cdbe7-1b46-494b-a188-01d4c52deb61} - c:\programdata\white sky, inc\id vault\iebho1.1.613.0\NativeBHO.dll
BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\\coIEPlg.dll
TB: Funmoods Toolbar: {a4c272ec-ed9e-4ace-a6f2-9558c7f29ef3} - c:\progra~1\funmoods\\escorTlbr.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SPMTray] "c:\program files\pc speed maximizer\SPMTray.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [<NO NAME>]
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [GIDDesktop] c:\program files\sft\guardedid\gidd.exe /s
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Anti-phishing Domain Advisor] "c:\programdata\anti-phishing domain advisor\visicom_antiphishing.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\consta~1.lnk - c:\program files\constant guard protection suite\IDVault.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://lvmailsvr01.lawrenceville.org/dwa85W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer =
TCP: Interfaces\{07B91313-C929-4676-8BDD-221B449D9779} : DhcpNameServer =
TCP: Interfaces\{CB23B13E-5380-4273-B5E2-5D5F8214A04E} : DhcpNameServer =
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
LSA: Authentication Packages = msv1_0 wvauth
mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-31 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-31 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-31 108552]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\bashdefs\20120619.001\BHDrvx86.sys [2012-6-18 821920]
R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\n360\0602010.005\ccsetx86.sys [2012-6-5 132744]
R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2012-6-2 25232]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\ipsdefs\20120703.002\IDSvix86.sys [2012-7-3 382624]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-7-25 32808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-9 106656]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-9-25 3666432]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-7-25 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-7-25 280096]
S3 atrsdfw;atrsdfw;c:\windows\system32\drivers\atrsdfw.sys [2009-8-3 9728]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-7-25 224384]
=============== Created Last 30 ================
2012-07-04 11:15:53 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-27 21:29:24 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-27 21:29:15 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-27 21:29:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-27 21:29:12 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-06 17:46:31 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2012-06-06 17:46:30 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-06-06 17:46:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-06-06 17:46:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-06-06 17:46:30 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-06-06 17:46:30 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-06-06 07:42:24 -------- d-----w- c:\program files\Windows Portable Devices
2012-06-06 07:20:26 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2012-06-06 07:20:26 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2012-06-06 07:20:26 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2012-06-06 07:19:36 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2012-06-06 07:19:35 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2012-06-06 07:19:35 519680 ----a-w- c:\windows\system32\d3d11.dll
2012-06-06 07:19:35 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2012-06-06 07:19:35 252928 ----a-w- c:\windows\system32\dxdiag.exe
2012-06-06 07:19:35 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2012-06-06 07:19:35 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2012-06-06 07:13:56 5120 ----a-w- c:\windows\system32\wmi.dll
2012-06-06 07:13:56 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-06-06 07:13:56 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-06-06 07:13:56 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-06-05 23:10:26 -------- d-----w- c:\users\user\appdata\local\antiphishing-vmninternethelper1_1dn
2012-06-05 23:10:09 -------- d-----w- c:\program files\Yontoo
2012-06-05 23:10:06 -------- d-----w- c:\programdata\Tarma Installer
2012-06-05 23:08:29 -------- d-----w- c:\programdata\Anti-phishing Domain Advisor
2012-06-05 23:08:20 -------- d-----w- c:\users\user\appdata\local\CrashDumps
2012-06-05 23:07:45 -------- d-----w- c:\users\user\appdata\local\Vid-Saver
2012-06-05 23:07:43 -------- d-----w- c:\program files\Vid-Saver
2012-06-05 23:07:30 -------- d-----w- c:\programdata\blekko toolbars
2012-06-05 21:25:02 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2012-06-05 21:25:02 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2012-06-05 21:25:02 293376 ----a-w- c:\windows\system32\psisdecd.dll
2012-06-05 21:25:02 217088 ----a-w- c:\windows\system32\psisrndr.ax
2012-06-05 21:25:01 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-06-05 21:25:01 189952 ----a-w- c:\windows\system32\winmm.dll
2012-06-05 21:23:57 66560 ----a-w- c:\windows\system32\packager.dll
2012-06-05 21:22:53 231424 ----a-w- c:\windows\system32\msshsq.dll
2012-06-05 21:15:56 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-06-05 16:12:09 -------- d-----w- c:\windows\system32\eu-ES
2012-06-05 16:12:09 -------- d-----w- c:\windows\system32\ca-ES
2012-06-05 16:12:06 -------- d-----w- c:\windows\system32\vi-VN
2012-06-05 05:01:16 905336 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symefa.sys
2012-06-05 05:01:16 345208 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symtdiv.sys
2012-06-05 05:01:16 318584 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symnets.sys
2012-06-05 05:01:15 574072 ----a-w- c:\windows\system32\drivers\n360\0602010.005\srtsp.sys
2012-06-05 05:01:15 340088 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symds.sys
2012-06-05 05:01:15 32888 ----a-w- c:\windows\system32\drivers\n360\0602010.005\srtspx.sys
2012-06-05 05:01:14 149624 ----a-r- c:\windows\system32\drivers\n360\0602010.005\ironx86.sys
2012-06-05 05:01:14 132744 ----a-r- c:\windows\system32\drivers\n360\0602010.005\ccsetx86.sys
2012-06-05 05:01:00 4782 ----a-w- c:\windows\system32\drivers\n360\0602010.005\symvtcer.dat
2012-06-05 05:01:00 -------- d-----w- c:\windows\system32\drivers\n360\0602010.005
==================== Find3M ====================
2012-06-11 21:36:55 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-11 21:36:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-03 01:07:05 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-05-15 19:51:08 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-05-15 06:37:49 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 06:32:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-15 06:32:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-15 06:31:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-15 06:31:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2012-05-15 05:01:56 385024 ----a-w- c:\windows\system32\html.iec
2012-05-15 03:26:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-15 03:23:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:00:53 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-04-23 16:00:53 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-23 16:00:53 133120 ----a-w- c:\windows\system32\cryptsvc.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll win32k.sys win32k.sys
c:\windows\system32\drivers\iastor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x81E86936] -> \Device\Harddisk0\DR0[0x867F1AC8]
3 CLASSPNP[0x8BDB18B3] -> ntkrnlpa!IofCallDriver[0x81E86936] -> \Device\Ide\IAAStorageDevice-1[0x8572B028]
kernel: MBR read successfully
_asm { JMP 0x1c; }
user != kernel MBR !!!
============= FINISH: 17:07:14.92 ===============

The Attached DDs Notepad is Below:

DDS (Ver_2011-08-26.01)
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume3
Install Date: 7/25/2009 10:49:00 AM
System Uptime: 7/4/2012 7:06:54 AM (10 hours ago)
Motherboard: Dell Inc. | | 0P759R
Processor: Intel(R) Core(TM)2 Duo CPU T9550 @ 2.66GHz | Microprocessor | 2668/266mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 231 GiB total, 190.761 GiB free.
D: is FIXED (NTFS) - 2 GiB total, 1.135 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel(R) 82567LM Gigabit Network Connection
Device ID: PCI\VEN_8086&DEV_10F5&SUBSYS_02331028&REV_03\3&2ACF1E9&0&C8
Manufacturer: Intel
Name: Intel(R) 82567LM Gigabit Network Connection
PNP Device ID: PCI\VEN_8086&DEV_10F5&SUBSYS_02331028&REV_03\3&2ACF1E9&0&C8
Service: e1yexpress
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.1
Adobe Shockwave Player 11.5
All Day Battery Life Configuration
Ambient Light Sensor
Anti-phishing Domain Advisor
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 8.5
Belkin Setup and Router Monitor
BioAPI Framework
biolsp patch
Broadcom USH Host Components
Choice Guard
Compatibility Pack for the 2007 Office system
Constant Guard Protection Suite
Dell Control Point
Dell ControlPoint Connection Manager
Dell ControlPoint Security Manager
Dell ControlPoint System Manager
Dell Edoc Viewer
Dell Embassy Trust Suite by Wave Systems
Dell Getting Started Guide
Dell Security Device Driver Pack
Dell Touchpad
Dell Webcam Central
Document Manager Lite
EMBASSY Security Center
EMBASSY Security Setup
ESC Home Page Plugin
GeoGebra 4
Google Chrome
Google Drive
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Integrated Webcam Driver (
Intel(R) Network Connections
Intel(R) PRO Alerting Agent
Intel(R) PROSet/Wireless WiFi API
Intel(R) PROSet/Wireless WiFi Driver
Intel® Matrix Storage Manager
Java(TM) 6 Update 13
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Security Suite
NTRU TCG Software Stack
NVIDIA Drivers
Preboot Manager
Private Information Manager
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Secure Update
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Wizards
Sonic CinePlayer Decoder Pack
Trusted Drive Manager
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Wave Infrastructure Installer
Wave Support Software
Windows Driver Package - Dell Inc. PBADRV System (01/07/2008
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Yontoo 1.10.02
==== End Of File ===========================
Regular Member
Posts: 46
Joined: July 15th, 2009, 11:28 am
Register to Remove

Re: I need help with a potential Trojan Infestation!

Unread postby Gizzy » July 5th, 2012, 2:44 am

Hello RasKhalif and Welcome to Malware Removal! :)
My name is Gizzy and I'll be glad to help you with your malware problems.

Please note the following while we work:
  • The fixes are specific to your problem and should only be used for this issue on this computer.
  • Perform all actions in the order given.
  • If you don't know or understand something stop and ask! Don't keep going on.
  • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
  • Please DO NOT run any tools or scans unless I ask you to.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use, Be assured, any links I give are safe.
  • The process is not instant, Please continue to respond to this thread until I give you the All Clean!. Absence of symptoms does not mean that everything is clear.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backup your data - Vista

I am going through your logs and will reply with instructions soon.
User avatar
Retired Graduate
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: I need help with a potential Trojan Infestation!

Unread postby RasKhalif » July 5th, 2012, 5:12 pm

Thank you Gizzy. I regards to the issue in thispost. My son;s computer completely shut down and I cannot get into it at all. When I called Dell they ssaid his Hard drive in dmaged and ust be chned. I am getting that handled as we speak. I do have another issue that I posted in another thread reragrding another computer of mine that I am having trouble getting to access the internet on. Another moderator closed that thrad even though it was about a COMPLETELY Different topic. So mnnow here is the issue I need help with since my son;s cop[uter cannot be helped.

I cannot access internet windows 7

I get this message: local area connection doesn't have a valid ip configuration

I had my ISP send a tech and he could not get it working either and gave up. I tied ipconfig /release and it said Anerror occurred while releasing interace Local Area Connections 2 An address has not yet been associated with the network endpoint.. Please help me get this fixed!!!

Here is the link to the orignal thread that was closed.

Regular Member
Posts: 46
Joined: July 15th, 2009, 11:28 am

Re: I need help with a potential Trojan Infestation!

Unread postby Gizzy » July 6th, 2012, 11:41 am

Hi RasKhalif,
It can become confusing when more than one computer is being worked on at the same time from the same person which is why your other thread was closed.
Also when more than one computer is worked on in the same thread so please stay on topic about the computer you started this thread for, once this topic is finished and closed you may again open a topic for your other computer.

As for your son's computer

Backdoor Trojan
I'm afraid I have some bad news for you, Your DDS logs show that you have a Zero Access rootkit infection. This infection has remote access capabilities.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victims machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, Backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer, change settings on the computer and more. Please read this article by Roger A. Grimes on Remote Access Trojans it will give you an Idea of the severity of the type of infection you have.

What are Remote Access Trojans and why are they dangerous

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

How do I respond to possible identity theft and how do I prevent it

Because of the severity and the capabilities of this type of virus, (it cannot be known what changes to your system it has made or if it opened up other ways into your system) The only responsible course of action I can advise is to reformat your computer and reinstall windows.

Further reading:
When should I do a reformat and reinstallation of my OS
Windows Vista Backup
Restoring your backups with Windows Vista

Some versions of this infection are extremely difficult to remove, and if you opt for us to clean your computer there is a possibility that you may lose connection to the internet, in which case you'll need to have access to another computer so you can contact us. We will of course attempt to resolve the connection issues if they happen, but I can give no guarantee that you may not have to reformat after all.

Please let me know how you would like to proceed.
Should you have any questions please feel free to ask.
User avatar
Retired Graduate
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: I need help with a potential Trojan Infestation!

Unread postby RasKhalif » July 7th, 2012, 10:46 pm

Thanks Gizzy for the information I did change all my passwords as did my son. I Also changed the entire hardrive. Dell sent a new one and installed it and reload the OS. So his computer is fine. We are having his school it dept pull jhis files off the old harddrive.

Now I need to get help with my other computer which cannot access the internet per the thread that was closed. Can you assist me with that issue?
Regular Member
Posts: 46
Joined: July 15th, 2009, 11:28 am

Re: I need help with a potential Trojan Infestation!

Unread postby Gizzy » July 8th, 2012, 8:38 pm

Hi RasKhalif,

As your son's computer problem is solved if you have no further questions this topic can be closed.
Here is a great guide I recommend you read - COMPUTER SECURITY - a short guide to staying safer online

Since this topic is for your son's computer you will need to open a separate topic for your other computer once this one is closed.
User avatar
Retired Graduate
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: I need help with a potential Trojan Infestation!

Unread postby RasKhalif » July 11th, 2012, 9:16 pm

I will follow the instructions in the link you provided. Thank you for your assistance. Now I will open the new topic for my other computer.
Regular Member
Posts: 46
Joined: July 15th, 2009, 11:28 am

Re: I need help with a potential Trojan Infestation!

Unread postby Gizzy » July 12th, 2012, 12:02 am

You're welcome. :)
User avatar
Retired Graduate
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: I need help with a potential Trojan Infestation!

Unread postby askey127 » July 12th, 2012, 6:10 am

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Posts: 13901
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Register to Remove

  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware