Hi,

Recently we have noticed random pop-ups and search hijacks on this PC also IE takes a long time to load and the attached screenshot regularaly appears and always on IE shutdown. Firefox does not seem immune to the search re-directions either.

I have tried obvious thing like Spybot - found Win32.Zbot and removed, required a re-boot to remove a file in memory and another run of Spybot found another Win32.Zbot registy entry, all successfully removed but no change to the problem. AVG has been updated and scanned found a couple of files it identified as: Trojan Horse Cryptic.QZ and Trojan Horse Generic.17 CAUT.

Still no improvement, tried to run an online Symantec Security Check but IE blocked the Active X installation. Have run RootAnalyzer but that only found No ADMIN in ACL:

// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"No admin in ACL","C:\WINDOWS\temp\ZLT0673c.TMP"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\ACER-E355056E8B.ldb"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\ErrorLog.txt"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\fwdbglog.txt"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\fwpktlog.txt"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\IAMDB(2).RDB"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\IAMDB(3).RDB"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\IAMDB(4).RDB"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\IAMDB.RDB"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_022008173946.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_040708121235.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_051810124225.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_071108104538.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_120808105559.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_121208102644.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_121508112332.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_121508112621.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_121508112948.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\installer_121508113146.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\tvDebug.log"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\tvDebug.Zip"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\ZALog.txt"
File:"No admin in ACL","C:\WINDOWS\Internet Logs\ZALog2010.05.18.txt"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\Business Contact Manager\StartupService.ini"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\avg9\Log\history.xml"
Directory:"No admin in ACL","C:\WINDOWS\Internet Logs"


This is the DDS.txt file report.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Vinny at 13:38:59.51 on 20/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2303.1437 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\IR Connect\Utils\Firebird\bin\fbserver.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Brownie\brstswnd.exe
C:\Program Files\Java\jre6\bin\javaws.exe
c:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vinny\Desktop\RootAlyzer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Vinny\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://en.uk.acer.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
mRun: [LaunchApp] Alaunch
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [installnet.exe] "c:\acer\lanscope agent\installnet.exe" "c:\acer\lanscope agent\
mRun: [AdminWorks Tray] "c:\acer\lanscope agent\awtray.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [nonep] c:\windows\temp\10.tmp
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\vinny\startm~1\programs\startup\E-mail.lnk -
StartupFolder: c:\docume~1\vinny\startm~1\programs\startup\intern~1.lnk - c:\program files\internet explorer\iexplore.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks pro\components\qbagent\qbdagent2002.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vinny\applic~1\mozilla\firefox\profiles\2zjr3ime.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-4 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-21 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-4 242896]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-18 486280]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 AWService;AdminWorks Agent X6;c:\acer\lanscope agent\awServ.exe [2007-1-18 74520]
R2 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\ir connect\utils\firebird\bin\fbserver.exe -s --> c:\ir connect\utils\firebird\bin\fbserver.exe -s [?]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-3 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2006-12-11 7680]
S3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\drivers\WlanUZXP.sys [2008-2-19 437760]

=============== Created Last 30 ================

2010-05-19 10:51:09 0 d-----w- c:\program files\SpywareBlaster
2010-05-19 09:30:52 0 dc-h--w- c:\windows\ie8
2010-05-18 15:10:07 210 ----a-w- c:\windows\wininit.ini
2010-05-18 11:56:25 0 d-----w- c:\docume~1\vinny\applic~1\CheckPoint
2010-05-18 11:43:26 0 d-----w- c:\program files\CheckPoint
2010-05-18 11:43:03 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-05-18 11:43:03 0 d-----w- c:\windows\system32\ZoneLabs
2010-05-18 11:43:01 422437 ----a-w- c:\windows\system32\vsconfig.xml
2010-05-18 11:43:00 0 d-----w- c:\program files\Zone Labs
2010-05-17 16:46:47 0 d-sh--w- c:\windows\system32\lowsec
2010-05-14 15:17:11 112 --s-a-w- c:\windows\system32\1253214589.dat
2010-05-14 15:16:57 4 ----a-w- c:\docume~1\vinny\applic~1\avdrn.dat

==================== Find3M ====================

2010-05-18 11:43:21 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-21 08:22:42 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 09:19:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2008-08-29 12:10:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 13:56:03.18 ===============

Attempts to restore to April dates were unsuccessful and failed to complete, having read the advice on this forum I can see now that that was not the best course of action.

Any help would be appreciated.

Cheers,
Rob

Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Hello robp1967 :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Your computer has some serious infections with rootkit/backdoor capabilities.
Sorry for the bad news. Backdoors provide outsiders full access to your computer, enabling them to record key strokes, steal passwords, spread malwares, and even using it for other illegal activities.

If your computer has been used for important or sensitive data such as online banking, shopping or any other financial transactions, I strongly recommend you to do the following:

Disconnect from the Internet and any network immediately.
Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts or change them.
Change all your online passwords from a clean computer.
Take any other steps that you may think is necessary to prevent financial distress due to identity theft.

Due to the backdoor functionality, your computer is compromised and can no longer be fully trusted. Many experts in the security community believe that once tainted with this type of infections, the best course of action would be a reformat and reinstall of the OS. I too strongly recommend you to format your computer. We can still attempt to clean it if you wish, but due to the severity of the infections, I cannot guarantee it will be safe or clean afterwards. It is up to you to decide. Please let me know which course of action you wish to take.

Here are some read to help you decide:
How to respond to possible ID theft and Internet fraud (http://www.dslreports.com/faq/10451)
When should I reformat? (http://www.dslreports.com/faq/10063)

--------------------

Please post back:
1. your decision whether to reformat or continue cleaning

Thanks fo your help and advice, I was hoping re-format and rebuild was worst case scenario but I have followed you advice and re-formatted and all seems well now - thanks.

Hello robp1967 :),

A wise decision.

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates (http://www.bleepingcomputer.com/tutorials/tutorial35.html) to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Update your Antivirus program regularly, it is a must for constant protection against viruses. If you do not have one, Microsoft Security Essentials (http://www.microsoft.com/security_essentials/), Avast (http://www.avast.com/eng/download-avast-home.html) and Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914) are some great and free antivirus programs that you can try. For paid versions, Avast, ESET NOD32 (http://www.eset.com/products/nod32.php) and Kaspersky (http://www.kaspersky.com/kaspersky_anti-virus) are some good options. Please keep only one AV installed.

3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool (http://www.malwarebytes.org/mbam.php), totally free but for real-time protection you will have to pay a small one-time fee.

4. Install WinPatrol, a great protection program (http://www.winpatrol.com/) that helps you monitor for unwanted files or applications. If you wish to try this, please uninstall Ad-Aware and Spybot you had previously to prevent conflict.

5. Install SiteHound or Web of Trust (WOT). SiteHound (http://www.firetrust.com/en/products/sitehound) and WOT (http://www.mywot.com/) keeps you from dangerous websites with warnings and blockings. Please choose one only.

6. Protect your computer from removable or USB drive infections with Panda USB Vaccine (http://www.pandasecurity.com/homeusers/downloads/usbvaccine/), an effective method to prevent malware from spreading.

7. Keep all your softwares updated. Visit Secunia Software Inspector (http://secunia.com/software_inspector/) to find out if any updates required.

8. Install a third party firewall if you do not have one for additional defense against internet dangers. Built-in Windows firewall can only keep nasties from breaking in, but unable to protect against any malwares from sending information out. Some recommended firewalls are Online Armor (http://www.tallemu.com/free-firewall-protection-software.html), Outpost (http://www.agnitum.com/products/outpostfree/index.php) and PC Tools (http://www.pctools.com/firewall/download/). More information on firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html). Please keep only one FW installed.

9. If you have been a victim of malware before, Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

10. Also look up How to prevent malware: By miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) and So how did I get infected in the first place? By Tony Klein (http://malwareremoval.com/forum/viewtopic.php?f=11&t=4959).

Stay safe.

As your problems appear to have been resolved, this topic is now closed.

We are glad to be of help. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)