Hi all, My mother's computer seems to have been infected with TDSS. I told her to follow the instructions on this page: http://community.norton.com/t5/Norton-Inte...SServ/m-p/46674 and run SDFix. She never was able to find the drivers in step 1 but she went through the instructions twice and after doing, programs that used to not open (like symantec) would now work. So she ran symantec antivirus, malwarebytes and super antispyware. Symantec was unhelpful in deleting anything but the other two programs found and deleted many different issues she said; however, she ran them multiple times and each time they would find something new. She also got symantec endpoint and installed ran that and that did a little better than her older symantec program The main issue she's having now is certain sites are being blocked/redirected and the malware programs continue to find new issues. Below is the dds.txt contents and I've attached ark.txt and attach.txt. My first question is, is there anything we can do from here? Also, she's thinking of formatting and installing windows 7, would this be any better? And finally, if in the end she does reformat and goes back to XP or gets Windows 7, should she change all of her passwords on sites, get new credit cards, etc. or is that taking it too far? She's also wary because she has a few doc files on her comp with passwords, credit card numbers, maybe even SSN's... Thanks a bunch for any help, Matt DDS (Ver_09-12-01.01) - NTFSx86 Run by Barbara Morgan at 11:07:48.63 on Sun 02/28/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1191 [GMT -5:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec AntiVirus\Smc.exe C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe C:\WINDOWS\System32\M-AudioTaskBarIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Cobian Backup 9\Cobian.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Cobian Backup 9\cbInterface.exe C:\Program Files\Symantec AntiVirus\SmcGui.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Symantec AntiVirus\SymCorpUI.exe C:\Program Files\Symantec AntiVirus\SavUI.exe C:\Documents and Settings\Barbara Morgan\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Cobian Backup 9] "c:\program files\cobian backup 9\Cobian.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [soundMan] SOUNDMAN.EXE mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mPolicies-system: EnableLUA = 0 (0x0) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: NameServer = 93.188.163.39,93.188.161.101 TCP: {34E2B6B8-CE46-4A24-90D5-AC19F214FE85} = 93.188.163.39,93.188.161.101 Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-16 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-16 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-12-16 2477304] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100227.025\NAVENG.SYS [2010-2-28 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100227.025\NAVEX15.SYS [2010-2-28 1324720] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-12-16 23888] S3 MAUSBRI;M-Audio Fast Track Ultra Service;c:\windows\system32\drivers\mausbftu.sys [2009-5-21 135944] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664] S3 sonydcam;Generic 1394 Desktop Camera;c:\windows\system32\drivers\sonydcam.sys [2008-4-13 25344] S4 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592] S4 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968] =============== Created Last 30 ================ 2010-02-20 19:47:54 0 ------w- c:\documents and settings\barbara morgan\defogger_reenable 2010-02-20 19:44:57 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys 2010-02-20 19:43:31 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys 2010-02-18 23:57:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-02-18 23:56:53 0 d-----w- c:\program files\SUPERAntiSpyware 2010-02-18 23:56:53 0 d-----w- c:\docume~1\barbar~1\applic~1\SUPERAntiSpyware.com 2010-02-18 23:56:17 0 d-----w- c:\docume~1\barbar~1\applic~1\Malwarebytes 2010-02-18 23:56:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-18 23:56:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-18 23:56:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-18 23:56:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-02-15 20:16:46 0 d-----w- c:\windows\ERUNT 2010-02-15 20:01:38 0 d-----w- C:\SDFix ==================== Find3M ==================== 2010-02-27 15:44:15 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-02-27 15:44:15 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-02-27 15:44:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-02-27 15:44:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-12-16 19:58:00 89600 ----a-w- c:\windows\system32\atl71.dll 2009-12-16 19:58:00 87368 ----a-w- c:\windows\system32\FwsVpn.dll 2009-12-16 19:58:00 625032 ----a-w- c:\windows\system32\SymNeti.dll 2009-12-16 19:58:00 357704 ----a-w- c:\windows\system32\sysfer.dll 2009-12-16 19:58:00 242056 ----a-w- c:\windows\system32\SymRedir.dll 2009-12-16 19:58:00 107848 ----a-w- c:\windows\system32\SymVPN.dll 2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr 2009-12-02 04:53:50 695578 ----a-w- c:\windows\system32\unins000.exe 2006-07-05 10:33:24 472000 ----a-w- c:\windows\inf\wg311t\WG311T13.sys 2004-10-20 00:58:28 35232 ----a-w- c:\windows\inf\wg311t\ME_INST.EXE 2004-10-20 00:58:28 26112 ----a-w- c:\windows\inf\wg311t\install.exe ============= FINISH: 11:08:17.39 ===============