Hey guys, Thanks for the help of course... My computer seems to be having some trouble...the screen is resizing itself and some other pop-up issues...

Here is the Hijackthis...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:21 PM, on 11/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Antivirus 2009\av2009.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [58149870476154050090686568261891] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/Check...PA.cab55579.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4904 bytes




Thanks,
TJ Paulin

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Hey thanks for the quick response, It will not let me run the first program in safe mode...it says it has an error, would you like to send or dont send the error...and just closes...I was able to run the other one, which I can get a log for shortly...its just being difficult and not letting me go onto some internet sites...I believe it had the Antivirus 2009 virus...

Let me know if you cant get onto the site and we can try something else

Otherwise post the log if you can

Ok the first program wouldn't work in safe mode...

But here is the second program log...

Thanks again..


--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Intel® Pentium® 4 CPU 2.26GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A06
USER : Administrator ( Administrator )
BOOT : Normal boot
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:74 Go (Free:66 Go)
D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( Sat 11/22/2008|13:39 )

--------------------\\ Listing folders in APPLIC~1

[04/17/2008|04:20] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Adobe
[04/17/2008|04:46] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Google
[02/28/2008|10:04] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[03/11/2008|03:22] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Macromedia
[10/16/2008|12:23] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[07/31/2008|09:00] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun

[04/17/2008|04:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[04/17/2008|04:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[06/10/2008|02:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[11/19/2008|01:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[07/25/2008|01:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WLInstaller

[02/28/2008|09:41] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[05/30/2008|04:28] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[05/12/2008|08:23] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[11/22/2008 01:37 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[07/16/2003 11:31 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[04/17/2008|04:17] C:\Program Files\<DIR> Adobe
[02/28/2008|10:26] C:\Program Files\<DIR> Analog Devices
[07/31/2008|08:44] C:\Program Files\<DIR> Common Files
[02/28/2008|09:37] C:\Program Files\<DIR> ComPlus Applications
[04/17/2008|04:14] C:\Program Files\<DIR> Google
[02/28/2008|10:28] C:\Program Files\<DIR> InstallShield Installation Information
[02/28/2008|10:28] C:\Program Files\<DIR> Intel
[09/04/2008|03:55] C:\Program Files\<DIR> Internet Explorer
[07/31/2008|08:47] C:\Program Files\<DIR> Java
[09/04/2008|04:00] C:\Program Files\<DIR> Messenger
[02/28/2008|10:36] C:\Program Files\<DIR> Microsoft ActiveSync
[02/28/2008|09:44] C:\Program Files\<DIR> microsoft frontpage
[02/28/2008|10:35] C:\Program Files\<DIR> Microsoft Office
[02/28/2008|10:35] C:\Program Files\<DIR> Microsoft Visual Studio
[08/02/2008|02:59] C:\Program Files\<DIR> Microsoft Works
[09/04/2008|03:55] C:\Program Files\<DIR> Movie Maker
[02/28/2008|09:37] C:\Program Files\<DIR> MSN
[02/28/2008|09:37] C:\Program Files\<DIR> MSN Gaming Zone
[09/04/2008|03:53] C:\Program Files\<DIR> NetMeeting
[02/28/2008|09:40] C:\Program Files\<DIR> Online Services
[09/04/2008|04:05] C:\Program Files\<DIR> Outlook Express
[07/31/2008|08:47] C:\Program Files\<DIR> Sun
[11/21/2008|02:49] C:\Program Files\<DIR> Trend Micro
[02/28/2008|10:04] C:\Program Files\<DIR> Uninstall Information
[07/25/2008|01:54] C:\Program Files\<DIR> Windows Live
[09/04/2008|03:56] C:\Program Files\<DIR> Windows Media Player
[09/04/2008|03:52] C:\Program Files\<DIR> Windows NT
[02/28/2008|10:37] C:\Program Files\<DIR> WindowsUpdate
[02/28/2008|09:44] C:\Program Files\<DIR> xerox

--------------------\\ Listing Folders in C:\Program Files\Common Files

[04/17/2008|04:17] C:\Program Files\Common Files\<DIR> Adobe
[02/28/2008|10:36] C:\Program Files\Common Files\<DIR> DESIGNER
[02/28/2008|10:26] C:\Program Files\Common Files\<DIR> InstallShield
[07/31/2008|08:44] C:\Program Files\Common Files\<DIR> Java
[02/28/2008|10:36] C:\Program Files\Common Files\<DIR> L&H
[08/02/2008|02:59] C:\Program Files\Common Files\<DIR> Microsoft Shared
[02/28/2008|09:38] C:\Program Files\Common Files\<DIR> MSSoap
[02/28/2008|01:26] C:\Program Files\Common Files\<DIR> ODBC
[02/28/2008|09:39] C:\Program Files\Common Files\<DIR> Services
[02/28/2008|01:26] C:\Program Files\Common Files\<DIR> SpeechEngines
[09/04/2008|04:05] C:\Program Files\Common Files\<DIR> System
[07/25/2008|02:05] C:\Program Files\Common Files\<DIR> WindowsLiveInstaller

--------------------\\ Process

( 28 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\ADMINI~1\Cookies\administrator@advertising[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme


--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]



[F:31754][D:67]-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
[F:2][D:0]-> C:\DOCUME~1\ADMINI~1\Cookies
[F:2533][D:20]-> C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Sat 11/22/2008|13:43 - Option : [1]

--------------------\\ Scan completed at 13:43:44

Hello

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hey,

I can not get Combofix to run on the other computer, when I double click it, it asks if I want to run the unknown application. But after I click yes it does nothing. Can I run in safe mode maybe or do you have any other suggestions?

You try rename it and run it ?

Not yet I will be able to try it Friday, Thanks again, i'll post Friday.

ok cool

ALRIGHT!! We are making some progress here! Thanks again, I am currently on G2G on the infected computer, ...Here is the log from combofix...

ComboFix 08-11-27.07 - Administrator 2008-11-28 9:29:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.94 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
c:\windows\IE4 Error Log.txt
c:\windows\system32\Drivers\TDSSpqxt.sys
c:\windows\system32\explorer32.exe
c:\windows\system32\ieupdates.exe
c:\windows\system32\TDSSciou.dll
c:\windows\system32\TDSSliqp.dll
c:\windows\system32\TDSSnrse.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSosvn.dat
c:\windows\system32\TDSStkdv.log
c:\windows\system32\winsrc.dll
c:\windows\system32\winsrc.dll.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-24 13:06 . 2008-11-24 13:06 0 --a------ c:\windows\nsreg.dat
2008-11-24 11:55 . 2003-12-12 16:06 1,693,696 --a------ c:\windows\system32\ltclr13n.dll
2008-11-24 11:55 . 2003-11-04 15:11 155,648 --a------ c:\windows\system32\lftif13n.dll
2008-11-24 11:55 . 2003-11-04 15:10 98,304 --a------ c:\windows\system32\lffax13n.dll
2008-11-22 14:59 . 2008-11-22 14:59 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-22 13:53 . 2008-11-22 13:53 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-22 13:53 . 2008-11-22 13:53 <DIR> d-------- c:\program files\AVG
2008-11-22 13:53 . 2008-11-25 09:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-22 13:53 . 2008-11-22 13:53 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-22 13:53 . 2008-11-22 13:53 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-22 13:38 . 2008-11-22 13:43 <DIR> d-------- C:\Lop SD
2008-11-22 12:07 . 2008-11-28 09:03 2,271 --a------ c:\windows\system32\TDSSfpmp.dll
2008-11-21 14:49 . 2008-11-21 14:49 <DIR> d-------- c:\program files\Trend Micro
2008-11-11 19:28 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:27 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-23 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-22 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-22 231704]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\88oty7e5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.sonnysrv.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 09:32:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-28 9:34:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 14:34:20

Pre-Run: 70,876,880,896 bytes free
Post-Run: 71,493,115,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

104 --- E O F --- 2008-11-19 18:30:25

Hello

Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

Ok I sent the infected file..

Here is the log it generated..

ComboFix 08-11-27.07 - Administrator 2008-11-28 10:47:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.98 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TDSSfpmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 09:48 . 2008-11-28 09:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2008-11-24 13:06 . 2008-11-24 13:06 0 --a------ c:\windows\nsreg.dat
2008-11-24 11:55 . 2003-12-12 16:06 1,693,696 --a------ c:\windows\system32\ltclr13n.dll
2008-11-24 11:55 . 2003-11-04 15:11 155,648 --a------ c:\windows\system32\lftif13n.dll
2008-11-24 11:55 . 2003-11-04 15:10 98,304 --a------ c:\windows\system32\lffax13n.dll
2008-11-22 14:59 . 2008-11-28 10:22 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-22 13:53 . 2008-11-28 09:51 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-22 13:53 . 2008-11-22 13:53 <DIR> d-------- c:\program files\AVG
2008-11-22 13:53 . 2008-11-28 09:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-22 13:53 . 2008-11-22 13:53 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-22 13:53 . 2008-11-22 13:53 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-22 13:38 . 2008-11-22 13:43 <DIR> d-------- C:\Lop SD
2008-11-21 14:49 . 2008-11-21 14:49 <DIR> d-------- c:\program files\Trend Micro
2008-11-11 19:28 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:27 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-22 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-22 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-22 231704]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 10:49:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-28 10:51:00
ComboFix-quarantined-files.txt 2008-11-28 15:50:47
ComboFix2.txt 2008-11-28 14:34:33

Pre-Run: 71,505,338,368 bytes free
Post-Run: 71,494,385,664 bytes free

75 --- E O F --- 2008-11-19 18:30:25

Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Ok Thanks again for your time...

MBAM didn't find anything....here is the log for kas..

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 28, 2008 18:35:48
Records in database: 1424124
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 31920
Threat name: 6
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 01:19:51


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqxt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\explorer32.exe.vir Infected: Trojan.Win32.Pakes.luo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ieupdates.exe.vir Infected: Trojan.Win32.Pakes.luo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSciou.dll.vir Infected: Rootkit.Win32.Clbd.lc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSliqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrse.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoeqh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1

The selected area was scanned.