BleepingComputer.com: TDL4@MBR infection

Random virus infections on pages kept appearing via GData, even though no browser was open.
Music started randomly playing too at one point.

Windows Update website says the internet connection is broken.

Searches in Google return results that are hijacked.

Machine at times runs very slow with two process consuming a gig of ram : svchost and spoolsrv. Closing them releases a new spart of life.
I've run defoggler, gmer and dds and attach accordingly.

Please help remove a TDL4@MBR rootkit.

Thank you.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by John Clark at 11:55:32 on 2011-07-10
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.1873 [GMT 1:00]
.
AV: G Data AntiVirus 2011 *Enabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: Outpost Firewall Pro *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\G DATA\GDScan\GDScan.exe
C:\Program Files\G Data\AntiVirus\AVK\AVKWCtl.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
C:\Program Files\G Data\AntiVirus\AVK\AVKService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\G Data\AntiVirus\AVKTray\AVKTray.exe
C:\Program Files\LogMeIn Rescue Calling Card\CallingCard.exe
C:\Program Files\LogMeIn Rescue Calling Card\CallingCard_srv.exe
C:\Program Files\LogMeIn Rescue Calling Card\CallingCard_srv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.live.com
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\antivirus\webfilter\AvkWebIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\antivirus\webfilter\AvkWebIE.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [G Data AntiVirus Tray Application] c:\program files\g data\antivirus\avktray\AVKTray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44627E97-789B-40d4-B5C2-58BD171129A1} - {A1A7E22D-1587-4230-8F16-081C68D21448} - c:\program files\agnitum\outpost firewall pro\ie_bar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240417386403
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5FD5E1BC-D5AB-4E11-A6DA-5331421A93E6} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\john clark\application data\mozilla\firefox\profiles\kshrg17y.default\
FF - component: c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\john clark\local settings\application data\yahoo!\browserplus\2.9.2\plugins\npybrowserplus_2.9.2.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: G Data WebFilter: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - c:\program files\mozilla firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {27B42442-0943-4BDA-8FED-89B659713F2B} - c:\documents and settings\john clark\local settings\application data\{27B42442-0943-4BDA-8FED-89B659713F2B}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2010-4-12 33912]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-7-9 64512]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-4-18 24064]
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2010-4-12 62584]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2010-4-12 69400]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-2-26 39032]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2010-7-1 713672]
R2 APCPBEAgent;APC PBE Agent;c:\progra~1\apc\powerc~1\agent\pbeagent.exe [2011-7-9 34104]
R2 AVKProxy;G Data AntiVirus Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2010-10-29 1098232]
R2 AVKService;G Data Scheduler;c:\program files\g data\antivirus\avk\AVKService.exe [2010-10-29 411128]
R2 AVKWCtl;G Data Filesystem Monitor;c:\program files\g data\antivirus\avk\AVKWCtl.exe [2010-10-29 1333776]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2010-4-12 51832]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-6-20 2151640]
R2 LMIRescue_5ac09497-fd59-4ebf-acee-51cbf3d31a62;LogMeIn Rescue (5ac09497-fd59-4ebf-acee-51cbf3d31a62);c:\program files\logmein rescue calling card\CallingCard_srv.exe [2010-4-12 1221992]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2010-7-1 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2010-7-1 267624]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-4-18 144480]
R3 GDScan;G Data Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2010-10-29 340984]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]
S3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2010-7-1 31528]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-6-20 15232]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2010-7-1 2023128]
S4 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
S4 LMIRescueUA_840336;LogMeIn Rescue (840336);c:\windows\temp\lmir0001.tmp\unattended_srv.exe -service -unattendedid 315061 --> c:\windows\temp\lmir0001.tmp\unattended_srv.exe -service -unattendedid 315061 [?]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2009-11-13 25824]
S4 Olympus DVR Service;Olympus DVR Service;c:\program files\common files\olympus shared\devicemanager\olydvrsv.exe [2010-5-14 176128]
S4 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-3-1 77824]
S4 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-4-24 2054680]
S4 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2010-6-27 30152]
S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2009-6-26 102400]
.
=============== Created Last 30 ================
.
2011-07-09 21:15:44 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2011-07-09 21:15:43 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2011-07-09 21:15:43 465920 ------w- c:\windows\system32\imapi2fs.dll
2011-07-09 21:15:43 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2011-07-09 21:15:43 317952 ------w- c:\windows\system32\imapi2.dll
2011-07-09 21:00:43 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-09 20:58:40 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-09 20:58:33 -------- d-----w- c:\program files\Lavasoft
2011-07-09 20:29:49 -------- d--h--w- c:\windows\msdownld.tmp
2011-07-09 20:27:51 -------- dc-h--w- c:\windows\ie8
2011-07-09 20:03:29 388096 ----a-r- c:\documents and settings\john clark\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-09 20:03:28 -------- d-----w- c:\program files\Trend Micro
2011-07-09 19:26:26 36864 ----a-w- c:\windows\system32\APCSnmp.dll
2011-07-09 19:25:59 -------- d-----w- c:\program files\APC
2011-06-27 16:29:13 -------- d-----w- c:\program files\Defraggler
2011-06-19 19:23:04 0 ----a-w- c:\windows\Bceniyaloguj.bin
2011-06-19 19:23:03 -------- d-----w- c:\documents and settings\john clark\local settings\application data\{27B42442-0943-4BDA-8FED-89B659713F2B}
2011-06-19 19:19:14 -------- d-----w- c:\documents and settings\all users\application data\hH28258AfOlD28258
2011-06-16 21:57:24 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 13:33:17 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-14 12:37:56 -------- d-----w- c:\documents and settings\john clark\local settings\application data\MicroVision Applications
.
==================== Find3M ====================
.
2011-07-09 21:27:41 26112 ----a-w- c:\windows\system32\userinit.exe
2011-07-09 20:44:54 256 ----a-w- c:\documents and settings\john clark\pool.bin
2011-05-29 08:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 03:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 01:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 11:56:54.60 ===============

I took the liberty of running aswMBR, included below is the log:

aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-10 12:09:56
-----------------------------
12:09:56.359 OS Version: Windows 5.1.2600 Service Pack 3
12:09:56.359 Number of processors: 2 586 0x170A
12:09:56.359 ComputerName: D2BNF94J UserName:
12:09:56.968 Initialize success
12:10:46.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:10:46.140 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
12:10:46.140 Disk 0 MBR read successfully
12:10:46.156 Disk 0 MBR scan
12:10:46.156 Disk 0 TDL4@MBR code has been found
12:10:46.156 Disk 0 MBR hidden
12:10:46.156 Disk 0 MBR [TDL4] **ROOTKIT**
12:10:46.156 Disk 0 trace - called modules:
12:10:46.156 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5d24d0]<<
12:10:46.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa00678]
12:10:46.156 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a571990]
12:10:46.156 \Driver\iaStor[0x8aa00f38] -> IRP_MJ_CREATE -> 0x8a5d24d0
12:10:46.156 Scan finished successfully
12:11:13.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\John Clark\Desktop\MBR.dat"
12:11:13.531 The log file has been saved successfully to "C:\Documents and Settings\John Clark\Desktop\aswMBR.txt"

Having pressed FIX from aswMBR, here's the new log file.

How does it look?

aswMBR version 0.9.7.705 Copyright© 2011 AVAST Software
Run date: 2011-07-10 12:20:22
-----------------------------
12:20:22.093 OS Version: Windows 5.1.2600 Service Pack 3
12:20:22.093 Number of processors: 2 586 0x170A
12:20:22.093 ComputerName: D2BNF94J UserName:
12:20:22.640 Initialize success
12:20:27.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:20:27.484 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
12:20:27.515 Disk 0 MBR read successfully
12:20:27.515 Disk 0 MBR scan
12:20:27.515 Disk 0 unknown MBR code
12:20:27.515 Disk 0 scanning sectors +625137345
12:20:27.546 Disk 0 scanning C:\WINDOWS\system32\drivers
12:20:47.625 Service scanning
12:20:49.390 Disk 0 trace - called modules:
12:20:49.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
12:20:49.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa00558]
12:20:49.406 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8af82028]
12:20:49.406 Scan finished successfully
12:21:17.390 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\John Clark\Desktop\MBR.dat"
12:21:17.390 The log file has been saved successfully to "C:\Documents and Settings\John Clark\Desktop\aswMBR v2.txt"

EDIT: Posts merged ~Budapest

This post has been edited by Budapest: 10 July 2011 - 05:41 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

• Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  
  
• Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  
  
• If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  
  
• In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  
  
• If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  
  
• Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  
  
• Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  
  
• I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
  Because of this, you must reply within three days failure to reply will result in the topic being closed!
  
  
• Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
  Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

GooredFix
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

NEXT:



Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

• Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• Click the Report tab, then click Scan.
  
• Check Drivers, Stealth Code, and uncheck the rest.
  
• Click OK.
  
• Wait until it's finished and then go to File > Save Report.
  
• Save the report to your Desktop.
  
• Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report

• Please download OTL from here:
  
  • Main Mirror
    
  • Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Change the "Extra Registry" option to "SafeList"
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  
  • OTL.txt <-- Will be opened
    
  • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.