Browsers hijacked, SpyBot and other installations blocked

[motorhobo]

Looks like this is a common one right now. Before coming here I followed steps for manual removal of MyWebSearch and FunWebProducts and did turn off System Restore but turned it back on after reading the recommendation here.

I was able to install SpyBot S & D but it won't run, instead the hourglass cursor flashes and nothing happens, it doesn't appear in services.msc. IE access to http://www.safer-networking.org redirects to stopsign.com, stopzilla.com and other garbage. Firefox access to http://www.safer-networking.org is blocked without redirection. IE is useless due to constant redirection and the machine is running slow and hanging more than usual. This is a friend's machine and this is my first time posting here and I did read the instructions but if I missed something forgive me in advance.

HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:02 PM, on 6/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieexplorer32.exe"
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152598524593
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - Unknown owner - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10477 bytes

[Shaba]

Hi motorhobo

Please download GMER by GMER. An alternate download site.

1. Unzip it to a folder on your desktop.
2. Double click on gmer.exe to execute.
   If asked, allow the gmer.sys driver load.
3. If you get a warning prompt about rootkit activity ... asking if you want to run Scan, click OK.
4. If you don't get a warning then...
   • Click the Rootkit/Malware tab at the top of the GMER window.
   • Click the Scan button.
5. Once the scan has finished... click Copy. ... Do not close the GMER window yet...
6. Open Notepad and paste what you copied. Ctrl+V
7. Select "Save As" in Notepad...saving the file to your desktop as "gmerroot.txt"... then close Notepad.
   
   In the GMER window...
8. Click on the >>> tab at the top of the GMER window.
   This displays the rest of the "selection" tabs for you.
9. Click on the Autostart tab.
10. Click on Scan button.
11. Once the scan has finished... click Copy.
12. Open Notepad (again) and paste what you copied. Ctrl+V
13. Select "Save As" in Notepad...saving the file to your desktop as "gmerauto.txt"
14. Copy and paste the contents of the files gmerroot.txt and gmerauto.txt in you next reply.

[motorhobo]

Thanks so much Shaba for responding! We are up the creek here because the infected computer cannot access SpyBot or run any antivirus programs. I am contacting you through my computer at another location.

I emailed gmer from here to the infected computer, unzipped gmer to the Desktop and ran it as instructed. A dialog appeared saying there was no certificate for the program. I clicked Run in that dialog, the hourglass appeared briefly and then nothing.

I then renamed gmer.exe to blob. exe and tried again to run it. Again, hourglass flashes once, then nothing. I suspect this dialog referencing some 'certificate' is bogus, since the .exe is on the Desktop and should run locally with no certificate required. No?

Thanks again for your help. It appears you suspect a rootkit...ugh!

motorhobo

[motorhobo]

I take that back, Shaba, I turned off Windows Firewall and now gmer.exe is running. I will return with results shortly.

Thanks once again for you help...

Motorhobo

[Shaba]

Good

Please turn it back after scan and post back logs.

[motorhobo]

gmer is running but I forgot ro rename it back to gmer.exe after changing it to blob.exe. Let me know if this will interfere with any tools you use, if so I will restart the process, otherwise I will let it continue to run.

Thank you!

[Shaba]

Just let it run, it is fine

[motorhobo]

gmerroot.txt log -

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-22 13:37:02
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code E198C600 ZwEnumerateKey
Code E198C6E0 ZwFlushInstructionCache
Code ECDCDEAB pIofCallDriver
Code ECDCE853 pIofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 80570D4E 5 Bytes JMP E198C604
PAGE ntoskrnl.exe!ZwFlushInstructionCache 8057918C 5 Bytes JMP E198C6E4

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[340] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00BA000A
.text C:\WINDOWS\Explorer.EXE[340] WS2_32.dll!send 71AB428A 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[340] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00BB000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1184] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00A4000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1184] WS2_32.dll!send 71AB428A 5 Bytes JMP 00A6000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1184] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00A5000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1348] kernel32.dll!ExitProcess 7C81CDEA 5 Bytes JMP 05052422 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1348] USER32.dll!MessageBoxA 7E45058A 5 Bytes JMP 050523CC C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1348] USER32.dll!MessageBoxW 7E46630A 5 Bytes JMP 050523F7 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1348] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00A4000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1348] WS2_32.dll!send 71AB428A 5 Bytes JMP 00A6000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1348] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00A5000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat EB1C4C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\TDSSmqlt.sys (*** hidden *** ) ECDCC000-ECDDE000 (73728 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:428] ECDCED66

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\TDSSmqlt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSbrsr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdu.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSbrsr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdu.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@affid 5
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@subid 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@flagged 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Jean Manna\Local Settings\Temp\TDSS19e6.tmp 122880 bytes executable
File C:\Documents and Settings\Jean Manna\Local Settings\Temp\TDSS1a4a.tmp 616960 bytes executable
File C:\Program Files\Trend Micro\Internet Security 12\Quarantine\TDSS1a4a.tmp 617120 bytes
File C:\WINDOWS\system32\drivers\TDSSmqlt.sys 60416 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\TDSSbrsr.dll 29696 bytes executable
File C:\WINDOWS\system32\TDSSlxwp.dll 3352 bytes
File C:\WINDOWS\system32\TDSSoiqh.dll 35840 bytes executable
File C:\WINDOWS\system32\TDSSosvd.dat 441 bytes
File C:\WINDOWS\system32\TDSSriqp.dll 31232 bytes executable
File C:\WINDOWS\system32\TDSStkdu.log 20755 bytes
File C:\WINDOWS\system32\TDSSxfum.dll 61440 bytes executable
File C:\WINDOWS\Temp\TDSS42b0.tmp 527 bytes
File C:\WINDOWS\Temp\TDSS4636.tmp 60416 bytes executable
File C:\WINDOWS\Temp\TDSS4848.tmp 35840 bytes executable
File C:\WINDOWS\Temp\TDSS4aa1.tmp 29696 bytes executable
File C:\WINDOWS\Temp\TDSS4cbe.tmp 31232 bytes executable
File C:\WINDOWS\Temp\TDSS4fe9.tmp 73728 bytes executable
File C:\WINDOWS\Temp\TDSS533c.tmp 527 bytes
File C:\WINDOWS\Temp\TDSS5b19.tmp 60416 bytes executable
File C:\WINDOWS\Temp\TDSS6473.tmp 35840 bytes executable
File C:\WINDOWS\Temp\TDSS710b.tmp 29696 bytes executable
File C:\WINDOWS\Temp\TDSS79e3.tmp 31232 bytes executable
File C:\WINDOWS\Temp\TDSS7f53.tmp 73728 bytes executable

---- EOF - GMER 1.0.15 ----

gmerauto.txt log -

GMER 1.0.15.14972 - http://www.gmer.net
Autostart scan 2009-06-22 13:54:55
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
CCALib8@ = C:\Program Files\Canon\CAL\CALMAIN.exe
Fax@ = %systemroot%\system32\fxssvc.exe
IntuitUpdateService@ = "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"
JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
NICCONFIGSVC@ = C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
SCardSvr@ = %SystemRoot%\System32\SCardSvr.exe
sprtsvc_dellsupportcenter@ = C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter /*file not found*/
wltrysvc@ = %SystemRoot%\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ApointC:\Program Files\Apoint\Apoint.exe = C:\Program Files\Apoint\Apoint.exe
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@Dell QuickSetC:\Program Files\Dell\QuickSet\quickset.exe = C:\Program Files\Dell\QuickSet\quickset.exe
@Dell Wireless Manager UIC:\WINDOWS\system32\WLTRAY = C:\WINDOWS\system32\WLTRAY
@DVDLauncher"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
@RealTrayC:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER /*file not found*/ = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER /*file not found*/
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@dlaC:\WINDOWS\system32\dla\tfswctrl.exe = C:\WINDOWS\system32\dla\tfswctrl.exe
@ISUSPM Startup"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
@ISUSScheduler"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
@Google Desktop Search"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
@Corel Photo DownloaderC:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe = C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
@Adobe Photo Downloader"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@dscactivate"C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" = "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
@DellSupportCenter"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter = "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
RunOnceEx@ = /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@swgC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
@DellSupport"C:\Program Files\DellSupport\DSAgnt.exe" /startup = "C:\Program Files\DellSupport\DSAgnt.exe" /startup
@EasyLinkAdvisor"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup = "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
@DellSupportCenter"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter = "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
@updateMgrC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 /*file not found*/ = C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 /*file not found*/
@ieupdate"C:\WINDOWS\system32\ieexplorer32.exe" /*file not found*/ = "C:\WINDOWS\system32\ieexplorer32.exe" /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@UPnPMonitorC:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@WPDShServiceObjC:\WINDOWS\system32\WPDShServiceObj.dll = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{5CA3D70E-1895-11CF-8E15-001234567890} /*DriveLetterAccess*/C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{9999A076-A9E2-4C99-8A2B-632FC9429223} /*Bonjour*/C:\Program Files\Bonjour\ExplorerPlugin.dll = C:\Program Files\Bonjour\ExplorerPlugin.dll
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Universal Plug and Play Devices*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{5CA3D70E-1895-11CF-8E15-001234567890}C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll = C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
@{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll = C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
@{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll = C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
@{CA6319C0-31B7-401E-A518-A07C3DB8F777}c:\Program Files\GoogleAFE\GoogleAE.dll = c:\Program Files\GoogleAFE\GoogleAE.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.dell.com = http://www.dell.com
@Start Pagehttp://www.dell.com = http://www.dell.com
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.google.com/ig/dell?hl=en&client=dell = http://www.google.com/ig/dell?hl=en&client=dell
@Start Pagehttp://www.comcast.net/ = http://www.comcast.net/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\x-sdch@CLSID = C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

C:\Documents and Settings\Jean Manna\Start Menu\Programs\Startup = OpenOffice.org 2.0.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
Digital Line Detect.lnk = Digital Line Detect.lnk
Kodak EasyShare software.lnk = Kodak EasyShare software.lnk
Kodak software updater.lnk = Kodak software updater.lnk
Palo Alto Software Update Manager 8.0.lnk = Palo Alto Software Update Manager 8.0.lnk

---- EOF - GMER 1.0.15 ----

[Shaba]

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

[motorhobo]

Thank you Shaba, I will run ComboFix as per the instructions. We're having problems printing the instructions, though, because the infected machine can't access any of the sites with links to the instructions. I'll have to print them here and then take them over to the location of the other computer. I don't know if I can do it today or tomorrow as it's quite a drive. We have four days before this thread gets archived, correct? I'm not stalling, there are just logistical issues involved...

Motorhobo