RootRepeal says MBR Rootkit detected

About a month ago I had my first problem when the false ads came up screaming You are infected!! and messing with the icons at bottom right hand corner of screen. Internet Explorer began performing very badly with pop-ups etc
I downloaded first AVG, then Avira and Ad-Aware. The most immediate and annoying symptons of pop-ups etc were fixed. However, google still sends all the search results to www.bankofindworld.com when I click on them. When I run Ad-Aware it detects Win32TrojanTdss and tries to remove it. When i reboot the computer nothing is fixed. A friend told me to download RegisteryMechanic, when I try to run the install file it won't run nothing happens at all. (not sure if that's related) Also I noticed on my external harddrive, when I plugged it into a friends mac there was a file in main folder called james.exe which is not visible when its running in a PC. Windows explorer won't open the external harddrive and says "Windows cannot find 'james'.. but if I right click 'explore' or 'open' it will open harddrive no problems.

I am concerned about what implications this has for security, I have used this PC for internet banking and ebay transactions etc..

any advice would be very very much appreciated! Cheers,

here is my DDS log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by James Winwood at 22:27:38.70 on Mon 09/14/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.605 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\James Winwood\James Winwood.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\James Winwood\Desktop\RootRepeal.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\James Winwood\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.swimatyourownrisk.com/
uSearch Page = hxxp://www.google.com
uWindow Title =
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [James Winwood] c:\documents and settings\james winwood\James Winwood.exe
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [KILLMS32DLL] c:\windows\killgodzilla.vbs
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2005-11-8 16384]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-6 64160]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-9 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-9 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-9 55656]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-4 1029456]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2005-11-8 33792]

=============== Created Last 30 ================

2009-09-14 22:04 262 a---h--- C:\aaw7boot.cmd
2009-08-19 15:54 116 a------- c:\windows\NeroDigital.ini
2009-08-19 15:51 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-08-19 15:50 177,511 -------- c:\windows\UNNeroVision.cfg
2009-08-19 15:50 2,932,736 -------- c:\windows\UNNeroVision.exe
2009-08-19 15:50 24,064 -------- c:\windows\system32\msxml3a.dll
2009-08-19 15:49 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-08-19 15:49 1,568,768 -------- c:\windows\system32\ImagX7.dll
2009-08-19 15:49 476,320 -------- c:\windows\system32\ImagXpr7.dll
2009-08-19 15:49 471,040 -------- c:\windows\system32\ImagXRA7.dll
2009-08-19 15:49 364,544 -------- c:\windows\system32\TwnLib4.dll
2009-08-19 15:49 262,144 -------- c:\windows\system32\ImagXR7.dll
2009-08-19 15:49 38,912 -------- c:\windows\system32\picn20.dll

==================== Find3M ====================

2009-08-06 00:36 98,304 a------- c:\windows\DUMP95a8.tmp
2009-08-05 19:30 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-08-05 19:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 17:54 40,960 ---shr-- c:\documents and settings\james winwood\James Winwood.exe
2009-07-28 16:33 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-18 04:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-04 00:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-30 02:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-30 02:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-30 02:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-26 04:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-26 04:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-26 04:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-26 04:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-26 04:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-26 04:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-26 04:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-26 04:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-26 04:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-26 04:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-26 04:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-26 04:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-25 18:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 18:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 18:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 18:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 18:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 18:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-22 21:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 21:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 21:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-17 00:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-17 00:55 82,432 a------- c:\windows\system32\fontsub.dll

============= FINISH: 22:28:23.76 ===============

Edited by jimdubs, 15 September 2009 - 02:05 AM.

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Pleaseinclude a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

• Please download OTL from following mirror:
  • This is THE Mirror
• Save it to your desktop.
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Push the button.
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_