Click.giftload keeps coming back, Google search results redirect

[felix_phillips]

So. A while ago I noticed that Google search results redirect to something totally different then the link I clicked. Lots of "Facebook surveys," lots of fake search engines, etc. Getting worried, I went and got Spybot S&D, Ad-Aware, Malwarebytes, and CCleaner. Been running scans with them nearly every day for... two weeks maybe? Most scans don't find anything, but Spybot started finding "click.giftload," and while it's able to remove it, it just comes back. When today my computer went through the "Windows failed to start, please choose safe mode or start windows normally or use last known settings that worked" 5-8 times in a row I said "screw this, I'm asking for help." So here I am.

As per instructions, I won't run any more scans unless someone here tells me to.

Symptoms:
1) Google Search results sometimes/often direct me somewhere else entirely
2) Sometimes graphics change from Windows XP theme to Windows Classic, and the option is not there to change it back. Doesn't always happen though.
3) Minecraft (the game) only works if I run the .exe via a .bat file. Something about unable to start the java virtual machine. Not sure if this is related, but figured I might as well mention it.
4) Spybot finds click.giftload and removes it, but it comes back next time I turn on the computer.

DDS Log:


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ben at 0:00:41.95 on Sun 04/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.134 [GMT -6:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\WINDOWS\PLFSetI.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Ben\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\Ben\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ben\Desktop\BeipMU\BeipMU.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ben\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://global.acer.com/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyServer = http=127.0.0.1:53455
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
mRun: [preload] c:\windows\RUNXMLPL.exe
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [eRecoveryService] c:\program files\acer\empowering technology\erecovery\eRAgent.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ben\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\c67mdut8.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\ben\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-3-7 176136]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-5 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-13 14336]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-3-28 1242504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-4 1405384]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-25 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-25 131072]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-4 15232]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-5-13 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-6-12 43608]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2008-5-28 22072]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-1 38224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\drivers\TpChoice.sys [2007-12-25 17968]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-30 19:03:49 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-03-26 19:09:25 -------- d-----w- C:\317bb37b7087d03d9fb4
2011-03-26 19:08:53 -------- d-----w- C:\c412b583335e06bfc5d36f7ea4
2011-03-14 04:29:06 -------- d-----w- C:\9f4842b56dc6715b1987c669f9712195
2011-03-14 04:28:39 -------- d-----w- C:\dda3748e091980e003ec6d2272b9
2011-03-13 19:42:49 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-13 19:42:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-12 04:59:35 -------- d-----w- c:\program files\CCleaner
2011-03-11 06:24:32 -------- d-----w- c:\docume~1\ben\applic~1\HpUpdate
2011-03-11 06:24:17 -------- d-----w- c:\windows\Hewlett-Packard
2011-03-05 21:37:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-05 20:59:09 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-05 20:59:02 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-05 20:57:58 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\Sunbelt Software
2011-03-05 20:54:04 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{A5847AFF-A1FE-4929-A3C0-16C23AB1D29D}
2011-03-05 20:52:55 -------- d-----w- c:\program files\Lavasoft
.
==================== Find3M ====================
.
2011-03-30 19:03:52 1409 ----a-w- c:\windows\QTFont.for
2011-03-13 00:05:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-13 00:05:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 04:42:49 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-01-07 04:42:49 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_ rev.1.10 -> Harddisk0\DR0 -> \Device\Scsi\ahcix861
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2EE439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2f47b8]; MOV EAX, [0x8a2f4834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A30E030]
3 CLASSPNP[0xBA168FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000b6[0x8A80E258]
5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A80DA38]
\Driver\ahcix86[0x8A83CD40] -> IRP_MJ_CREATE -> 0x8A2EE439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\Scsi\ahcix861Port0Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3&Rev_1.10#4&30ce5629&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 0:06:52.93 ===============

[Blottedisk]

Hi felix_phillips,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.

• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malware is very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
  paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
  credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

Please read the following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Step 1 | Please open SpyBot S&D

• Check for problems.
• When the scan completes, right click on the results list, select "Copy results to clipboard".
• Paste (Ctrl+V) those results in your next reply.

Step 2 | Please download aswMBR to your desktop.

• Double click the aswMBR icon to run it.
  Vista and Windows 7 users right click the icon and choose "Run as administrator".
• Click the Scan button to start scan.
• When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it


Step 3 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror - This version will download a randomly named file (Recommended)
Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Make sure all options are checked except:
  
  • IAT/EAT
  • Drives/Partition other than Systemdrive, which is typically C:\
  • Show All (This is important, so do not miss it.)

Click the image to enlarge it

• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

[felix_phillips]

Okay. Good to know. I can't wipe/reinstall until the end of the month, because I am currently away at university and thus away from the windows install disks. I'll try to repair it for now, and wipe&reinstall in a month when I get back home, because I can't not use my computer on account of school. I'm at the university right now, but I'll run the tools you suggested when I get home this afternoon/evening.

Some questions:

I have a 4GB USB stick I use to transfer files back and forth from my computer at home to the university. Is there a possibility that it is infected? Can it spread the infection to other computers? If so, how do I wipe it?

How to I back up my documents without accidentally backing up the infection too?

I also have a Dropbox, some of the folders of which I'm sharing with other people. Can they get infected via the Dropbox? ( http://www.dropbox.com )

Additionally:

My computer is mostly used for schoolwork, email, and games. I've done a little bit of Internet banking, so I'll call my bank as soon as I'm done making this post. Don't have a credit card, but someone else used their credit card once four months ago, about three months before symptoms started showing up. Is their information in danger?

In the process now of changing all my passwords. Passwords that I'm not going to tell my infected computer.

[Blottedisk]

Hi felix_phillips,


I would be glad to help you removing your current infections, until you can perform the reformat. If you would like to do so, then please follow the steps I gave you in my previous post, when you feel ready to start.

I have a 4GB USB stick I use to transfer files back and forth from my computer at home to the university. Is there a possibility that it is infected? Can it spread the infection to other computers? If so, how do I wipe it?

If it is infected, then it will most probable infect any computer that it is pluged in. Just keep it pluged-in during the malware removal process, and we will take care of it.

How to I back up my documents without accidentally backing up the infection too?

This infection does not alter documents, pictures, saved games, etc. However I would suggest you not to backup your data until we have finished with the malware removal process, especially if you are using an automatic backup tool (as I don't know what else it could backup).

I also have a Dropbox, some of the folders of which I'm sharing with other people. Can they get infected via the Dropbox? ( http://www.dropbox.com )

I dont think so, the infection doesn't work like that. If any of the files within the Dropbox folder is infected, the online scanner we are gonna run will tell. However (and I recommend you do this) you can also upload the files to VirusTotal: http://www.virustotal.com/

My computer is mostly used for schoolwork, email, and games. I've done a little bit of Internet banking, so I'll call my bank as soon as I'm done making this post. Don't have a credit card, but someone else used their credit card once four months ago, about three months before symptoms started showing up. Is their information in danger?

It depends on how long the infection have been lurking around. The Click.Giftload scheme was introduced by Spybot S&D on March, so yes, chances are that you became infected before.

In the process now of changing all my passwords. Passwords that I'm not going to tell my infected computer.

[felix_phillips]

Here are the logs you need. Thanks for the speedy replies to my questions, they were really helpful.


Spybot S&D Log:

Code:

Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
  

Statcounter: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
  


--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-04 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-22 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-22 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-21 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

aswMBR Log:

Code:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-04 14:26:10
-----------------------------
14:26:10.171    OS Version: Windows 5.1.2600 Service Pack 3
14:26:10.171    Number of processors: 2 586 0x301
14:26:10.171    ComputerName: ACER-A3FE35D430  UserName: Ben
14:26:14.250    Initialize success
14:26:24.984    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\ahcix861
14:26:25.031    Disk 0 Vendor: Hitachi_ 1.10 Size: 152627MB BusType: 1
14:26:25.109    Device \Device\Scsi\ahcix861Port0Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3&Rev_1.10#4&30ce5629&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
14:26:25.187    Device \Driver\ahcix86 -> DriverStartIo 8a2d927f
14:26:27.265    Disk 0 MBR read successfully
14:26:27.359    Disk 0 MBR scan
14:26:27.453    Disk 0 TDL4@MBR code has been found
14:26:27.562    Disk 0 MBR hidden
14:26:27.671    Disk 0 MBR [TDL4]  **ROOTKIT**
14:26:27.781    Disk 0 trace - called modules:
14:26:27.921    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a2d9439]<<
14:26:28.046    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2f8030]
14:26:28.187    3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> \Device\000000b6[0x8a847258]
14:26:28.343    5 ACPI.sys[b9e74620] -> nt!IofCallDriver -> [0x8a82da38]
14:26:28.500    \Driver\ahcix86[0x8a843680] -> IRP_MJ_CREATE -> 0x8a2d9439
14:26:28.703    Scan finished successfully

Gmer Log:

Code:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-04 15:20:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\ahcix861 Hitachi_ rev.1.10
Running: 7ljmggj8.exe; Driver: C:\DOCUME~1\Ben\LOCALS~1\Temp\ufacakog.sys


---- System - GMER 1.0.15 ----

SSDT            Lbd.sys (Boot Driver/Lavasoft AB)                                                                                                                            ZwCreateKey [0xBA17887E]
SSDT            sphf.sys                                                                                                                                                     ZwEnumerateKey [0xB9ECDDA4]
SSDT            sphf.sys                                                                                                                                                     ZwEnumerateValueKey [0xB9ECE132]
SSDT            sphf.sys                                                                                                                                                     ZwOpenKey [0xB9EB50C0]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )                                   ZwOpenProcess [0xB93B56C0]
SSDT            sphf.sys                                                                                                                                                     ZwQueryKey [0xB9ECE20A]
SSDT            sphf.sys                                                                                                                                                     ZwQueryValueKey [0xB9ECE08A]
SSDT            Lbd.sys (Boot Driver/Lavasoft AB)                                                                                                                            ZwSetValueKey [0xBA178BFE]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )                                   ZwTerminateProcess [0xB93B5770]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )                                   ZwTerminateThread [0xB93B5810]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )                                   ZwWriteVirtualMemory [0xB93B58B0]

INT 0x73        ?                                                                                                                                                            8A142E58
INT 0x94        ?                                                                                                                                                            8A142E58
INT 0x94        ?                                                                                                                                                            8A142E58
INT 0x94        ?                                                                                                                                                            8A142E58
INT 0xA4        ?                                                                                                                                                            8A90FBF8

---- Kernel code sections - GMER 1.0.15 ----

?               sphf.sys                                                                                                                                                     The system cannot find the file specified. !
.text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                                                                     section is writeable [0xB8238000, 0x189FCA, 0xE8000020]
.text           USBPORT.SYS!DllUnload                                                                                                                                        B80548AC 5 Bytes  JMP 8A142438 
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC3AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC3C4 3 Bytes  [00, 80, 02]
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC3C9 1 Byte  [30]
.text           ag8j1lst.SYS                                                                                                                                                 B7DBC3C9 11 Bytes  [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text           ...                                                                                                                                                          
?               C:\DOCUME~1\Ben\LOCALS~1\Temp\aswMBR.sys                                                                                                                     The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\svchost.exe[844] ntdll.dll!NtProtectVirtualMemory                                                                                        7C90D6EE 5 Bytes  JMP 0071000A 
.text           C:\WINDOWS\system32\svchost.exe[844] ntdll.dll!NtWriteVirtualMemory                                                                                          7C90DFAE 5 Bytes  JMP 00DC000A 
.text           C:\WINDOWS\system32\svchost.exe[844] ntdll.dll!KiUserExceptionDispatcher                                                                                     7C90E47C 5 Bytes  JMP 0070000C 
.text           C:\WINDOWS\system32\svchost.exe[844] USER32.dll!GetCursorPos                                                                                                 7E42974E 5 Bytes  JMP 00FB000A 
.text           C:\WINDOWS\system32\svchost.exe[844] USER32.dll!WindowFromPoint                                                                                              7E429766 5 Bytes  JMP 00FC000A 
.text           C:\WINDOWS\system32\svchost.exe[844] USER32.dll!GetForegroundWindow                                                                                          7E429823 5 Bytes  JMP 00FD000A 
.text           C:\WINDOWS\system32\svchost.exe[844] ole32.dll!CoCreateInstance                                                                                              774FF1AC 5 Bytes  JMP 00F0000A 
.text           C:\WINDOWS\Explorer.EXE[856] ntdll.dll!NtProtectVirtualMemory                                                                                                7C90D6EE 5 Bytes  JMP 00C2000A 
.text           C:\WINDOWS\Explorer.EXE[856] ntdll.dll!NtWriteVirtualMemory                                                                                                  7C90DFAE 5 Bytes  JMP 00C3000A 
.text           C:\WINDOWS\Explorer.EXE[856] ntdll.dll!KiUserExceptionDispatcher                                                                                             7C90E47C 5 Bytes  JMP 00B8000C 

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                                                                                       8A8871F8

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                       AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device          \FileSystem\Fastfat \FatCdrom                                                                                                                                85CD21F8

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                                     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device          \Driver\USBSTOR \Device\000000cf                                                                                                                             8A14C330
Device          \Driver\NetBT \Device\NetBT_Tcpip_{6D26E4D1-C34F-40BE-830E-4037CE269D6E}                                                                                     8A0CC500
Device          \Driver\usbohci \Device\USBPDO-0                                                                                                                             8A13F500
Device          \Driver\usbohci \Device\USBPDO-1                                                                                                                             8A13F500
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                                                                    8A90D1F8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                                                                      8A90D1F8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                                                                         8A90D1F8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                                                                        8A90D1F8
Device          \Driver\usbehci \Device\USBPDO-2                                                                                                                             8A115500
Device          \Driver\usbohci \Device\USBPDO-3                                                                                                                             8A13F500
Device          \Driver\usbehci \Device\USBPDO-4                                                                                                                             8A115500

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                    Lbd.sys (Boot Driver/Lavasoft AB)

Device          \Driver\NetBT \Device\NetBT_Tcpip_{BAD1109F-EA5B-4F7A-8EF8-3BC50C0CE419}                                                                                     8A0CC500
Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                                       8A89E1F8
Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                                       8A89E1F8
Device          \Driver\Cdrom \Device\CdRom0                                                                                                                                 8A1621F8
Device          \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                                       8A89E1F8
Device          \Driver\Cdrom \Device\CdRom1                                                                                                                                 8A1621F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{93277B27-BBF8-4BBC-A568-6E0D30B43B52}                                                                                     8A0CC500
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                                      8A0CC500
Device          \Driver\USBSTOR \Device\000000d0                                                                                                                             8A14C330
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                                                             8A0CC500
Device          \Driver\PCI_PNP1216 \Device\00000085                                                                                                                         sphf.sys
Device          \Driver\sptd \Device\2396817466                                                                                                                              sphf.sys

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                    Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                  Lbd.sys (Boot Driver/Lavasoft AB)

Device          \Driver\usbohci \Device\USBFDO-0                                                                                                                             8A13F500
Device          \Driver\usbohci \Device\USBFDO-1                                                                                                                             8A13F500
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                                            895231F8
Device          \Driver\usbehci \Device\USBFDO-2                                                                                                                             8A115500
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                                  895231F8
Device          \Driver\usbohci \Device\USBFDO-3                                                                                                                             8A13F500
Device          \Driver\usbehci \Device\USBFDO-4                                                                                                                             8A115500
Device          \Driver\Ftdisk \Device\FtControl                                                                                                                             8A89E1F8
Device          \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861                                                                                                       8A2D927F
Device          \Driver\ahcix86 \Device\Scsi\ahcix861                                                                                                                        8A8891F8
Device          \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861Port0Path0TargetaLun0                                                                                  8A2D927F
Device          \Driver\ahcix86 \Device\Scsi\ahcix861Port0Path0TargetaLun0                                                                                                   8A8891F8
Device          \Driver\ag8j1lst \Device\Scsi\ag8j1lst1                                                                                                                      8A089500
Device          \Driver\ahcix86 -> DriverStartIo \Device\Scsi\ahcix861Port0Path0Target1Lun0                                                                                  8A2D927F
Device          \Driver\ahcix86 \Device\Scsi\ahcix861Port0Path0Target1Lun0                                                                                                   8A8891F8
Device          \Driver\ag8j1lst \Device\Scsi\ag8j1lst1Port1Path0Target0Lun0                                                                                                 8A089500
Device          \FileSystem\Fastfat \Fat                                                                                                                                     85CD21F8

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                     fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                     AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device          \FileSystem\Cdfs \Cdfs                                                                                                                                       8A1C9500
Device          \Device\Scsi\ahcix861Port0Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3&Rev_1.10#4&30ce5629&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}  device not found

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                                                         
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                              C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                              0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                              0
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                           0xD2 0x90 0x48 0x12 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)                                                
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                     0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                                  0xB9 0x1E 0x1A 0xF9 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)                                           
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                             0x92 0xEB 0x25 0x71 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                                                         
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                              C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                              0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                              0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                           0xD2 0x90 0x48 0x12 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)                                                
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                     0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                                  0xB9 0x1E 0x1A 0xF9 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)                                           
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                             0x92 0xEB 0x25 0x71 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                                                           771343423
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                                                           285507792
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                                                           1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                                             
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                                                          C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                          0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                          0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                       0xD2 0x90 0x48 0x12 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                                                                    
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                                                                 0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                                                              0xB9 0x1E 0x1A 0xF9 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                                                               
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                                                         0x92 0xEB 0x25 0x71 ...

---- Disk sectors - GMER 1.0.15 ----

Disk            \Device\Harddisk0\DR0                                                                                                                                        TDL4@MBR code has been found                                                                                                                <-- ROOTKIT !!!
Disk            \Device\Harddisk0\DR0                                                                                                                                        sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

[Blottedisk]

Hi felix_phillips,


Please follow these steps:


Step 1 | Let's create a new restore point. Please:

• Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
• On the Welcome page, click Create a restore point.
• On the Create a Restore Point page, enter a descriptive name for your restore point (i.e. malware removal), and then click Create.
• The Restore Point Created page confirms that the new restore point has been created.

Step 2 | Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".

• Click the Scan button to start scan.
• When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.

Click the image to enlarge it

[felix_phillips]

Hi Blottedisk;

When I rebooted, the computer went into a loop of "Windows didn't start correctly, choose safe mode, last known settings, or start normally." Whenever I picked an option, the windows XP laoding screen would pop up, the loading bar would scroll along... and then the screen switches for a frame or two to a blue screen with white text and then the cycle starts again. The blue screen happened too fast to make anything out - like I said, only lasted for a fraction of a second. All I know is that blue screens like that are usually really bad. Eventually I got fed up and killed the power by holding down the power button. Once the power was off, I removed the USB stick (the one that may or may not be infected) and turned it back on. The screen popped up again. I told it to start windows normally, and it worked.

Is there something simple I can to do avoid that, or is a giant warning sign from my computer about the infection?

System Restore Point is made.

aswMBR log:

Code:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-04 18:00:02
-----------------------------
18:00:02.078    OS Version: Windows 5.1.2600 Service Pack 3
18:00:02.078    Number of processors: 2 586 0x301
18:00:02.078    ComputerName: ACER-A3FE35D430  UserName: Ben
18:00:02.765    Initialize success
18:00:08.203    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\ahcix861
18:00:08.265    Disk 0 Vendor: Hitachi_ 1.10 Size: 152627MB BusType: 1
18:00:08.312    Device \Device\Scsi\ahcix861Port0Path0Target0Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3&Rev_1.10#4&30ce5629&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
18:00:08.390    Device \Driver\ahcix86 -> DriverStartIo 8a2d927f
18:00:10.468    Disk 0 MBR read successfully
18:00:10.562    Disk 0 MBR scan
18:00:10.640    Disk 0 TDL4@MBR code has been found
18:00:10.750    Disk 0 MBR hidden
18:00:10.843    Disk 0 MBR [TDL4]  **ROOTKIT**
18:00:10.968    Disk 0 trace - called modules:
18:00:11.078    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a2d9439]<<
18:00:11.187    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2f8030]
18:00:11.328    3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> \Device\000000b6[0x8a847258]
18:00:11.468    5 ACPI.sys[b9e74620] -> nt!IofCallDriver -> [0x8a82da38]
18:00:11.625    \Driver\ahcix86[0x8a843680] -> IRP_MJ_CREATE -> 0x8a2d9439
18:00:11.796    Scan finished successfully
18:00:34.125    Disk 0 fixing MBR
18:00:44.296    Disk 0 MBR restored successfully
18:00:44.453    Infection fixed successfully - please reboot ASAP

[Blottedisk]

Hi felix_phillips,


There have been a few cases of this tool having a hard time against TDSS. That was probable the result of trying to deal with such a heavy infection like this. However the aswMBR log shows that it has successfully removed it.


If you reboot the computer now, are these loop and blue screen still happening? Please let me know, as there's still more to be done.

[felix_phillips]

Hi Blottedisk;

Rebooted as you requested. Started up as normal, no problems with "choose how to start your computer" loops or blue screens at all! The taskbar and windows are even back to their Windows XP theme state. (Although the theme tended to switch randomly between Windows XP and Windows Classic even before I came here and asked for help, so it may just be a coincidence.)

[Blottedisk]

Hi felix_phillips,


Glad to hear that. Then let's proceed this way:


Please visit the following and have a look how you can disable your security software.

How to disable your security programs

After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

• Double click on Combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/comb...o-use-combofix