So recently I got the tdssserv.sys trojan which kept directing my google search results to random advertising pages. It also did the other things mentioned with it...not being able to update certain AVS and not being able to install certain AVS, as well as tremendously slowing down my internet. I looked around on the net and found that it was best (at least at the time I thought it was) to disable (not uninstall) tdssserv.sys via going through the Device Manager and then by restarting and running a virus scan. This seemed to work as now my google search results were normal and I could now update my AVS and install malwarebytes. I scanned my computer with malwarebytes and then superantispyware. Malwarebytes found tdssserv.sys and removed it, as well as some other cookies and other moderate/low risk items. However, I am still getting problems with CounterSpy (another virus scanner I use), as it will not update and it still doesn't think I am connected to the internet, and my internet speed does not seem to be at 100% still. I checked my registry with regedit and saw there were traces of tdssserv.sys still there . So after spending too much time trying to search for the answers myself I decided it was time to come here and ask for help. Here are the MalwareBytes and HiJackThis log, Panda Active Scan is still scanning..will post when it's done: Malwarebytes' Anti-Malware 1.30 Database version: 1412 Windows 5.1.2600 Service Pack 3 11/19/2008 2:04:43 PM mbam-log-2008-11-19 (14-04-43).txt Scan type: Full Scan (C:\|) Objects scanned: 178396 Time elapsed: 1 hour(s), 36 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 14 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 17 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{875a1348-7674-42aa-adac-b4f36a004a2d} (Adware.AdBand) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\.zix (Rogue.WinZix2) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\WinZix (Trojan.Lop) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\kjbfionl.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Xkwizito\Desktop\Stuff\Touch\Install these\Games\68_377183_ad723_pxdxa.ESoft.Interactive.Spot.v1.0.1.ARM.PPC2002.Cracked_COR EPDA\ESoft.Interactive.Spot.v1.0.1.ARM.PPC2002.Cracked-COREPDA\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Xkwizito\Desktop\Stuff\Touch\Install these\Tools\Titan.14.Languages.Speereo.Voice.Translator.v4.0.Multilingual.XScale.WM2003 .Incl.Keygen.Patch-COREPDA\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSbrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSoiqh.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Documents and Settings\Xkwizito\Application Data\mouseapp.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Xkwizito\Local Settings\Temporary Internet Files\ENCounterSpyConsumer.2.5.1040.0.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Xkwizito\Local Settings\Temp\TDSS4c77.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Xkwizito\Local Settings\Temp\TDSS4c87.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSStkdu.log (Trojan.TDSS) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:43:59 PM, on 11/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Steam\Steam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\Xkwizito\LOCALS~1\Temp\~AceTemp\RootkitRevealer\RootkitRevealer.exe C:\DOCUME~1\Xkwizito\LOCALS~1\Temp\ZNEOO.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\WINDOWS\regedit.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {9D81D933-4870-4A31-AC05-015143379349} - (no file) O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: awttusq - awttusq.dll (file missing) O20 - Winlogon Notify: kjbfionl - kjbfionl.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: ZNEOO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Xkwizito\LOCALS~1\Temp\ZNEOO.exe -- End of file - 8311 bytes I also ran RootkitRevealer and here is the log if it helps. HKU\.DEFAULT\Control Panel\International 11/18/2007 2:13 PM 0 bytes Security mismatch. HKU\.DEFAULT\Control Panel\International\Geo 11/18/2007 2:13 PM 0 bytes Security mismatch. HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Control Panel\International 11/18/2007 2:13 PM 0 bytes Security mismatch. HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Control Panel\International\Geo 11/18/2007 2:13 PM 0 bytes Security mismatch. HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\Microsoft\Microsoft Management Console\Recent File List\File1 11/19/2008 2:52 PM 64 bytes Windows API length not consistent with raw hive data. HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\Microsoft\Microsoft Management Console\Recent File List\File2 11/19/2008 2:52 PM 66 bytes Windows API length not consistent with raw hive data. HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey 11/19/2008 10:40 PM 182 bytes Windows API length not consistent with raw hive data. HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 7/3/2008 1:01 PM 0 bytes Key name contains embedded nulls (*) HKU\S-1-5-21-1389840345-1470907008-2518719266-1006\Software\Valve\Steam\Steam.exe\UpTimeMostRecent 11/19/2008 11:08 PM 4 bytes Data mismatch between Windows API and raw hive data. HKU\S-1-5-18\Control Panel\International 11/18/2007 2:13 PM 0 bytes Security mismatch. HKU\S-1-5-18\Control Panel\International\Geo 11/18/2007 2:13 PM 0 bytes Security mismatch. HKLM\SECURITY\Policy\Secrets\SAC* 8/10/2004 8:23 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 8/10/2004 8:23 PM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\webcal\URL Protocol 10/12/2005 1:29 AM 13 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11/19/2008 11:12 PM 80 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\ovnfhmij.exe 11/10/2008 4:43 PM 47 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\nnrfmpqw.exe 11/10/2008 4:43 PM 47 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 11/18/2007 1:47 PM 0 bytes Access is denied. HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\ovnfhmij.exe 11/10/2008 4:43 PM 47 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\nnrfmpqw.exe 11/10/2008 4:43 PM 47 bytes Data mismatch between Windows API and raw hive data. C:\Documents and Settings\Xkwizito\Local Settings\Application Data\Mozilla\Firefox\Profiles\8vvr19gg.default\Cache\3B66747Dd01 11/19/2008 10:51 PM 18.77 KB Visible in Windows API, directory index, but not in MFT. C:\Documents and Settings\Xkwizito\Local Settings\Application Data\Mozilla\Firefox\Profiles\8vvr19gg.default\Cache\86024F33d01 11/19/2008 4:55 PM 114.21 KB Visible in Windows API, MFT, but not in directory index. C:\Documents and Settings\Xkwizito\Local Settings\Application Data\Mozilla\Firefox\Profiles\8vvr19gg.default\Cache\A8D6BE47d01 11/19/2008 4:55 PM 46.74 KB Visible in Windows API, MFT, but not in directory index. C:\Documents and Settings\Xkwizito\Local Settings\Temp\~F.tmp 11/19/2008 10:21 PM 238.00 KB Visible in Windows API, but not in MFT or directory index.