[Google redirecting and suspected rootkit problems...]

Google is redirecting on a different computer I have.

I ran the latest malwarebytes quick scan and ended up with a few objects infected, one of which is listed as a rootkit.

Upon rebooting after scanning, the problems persist.

Below is the raw text of the malwarebytes scan:

_______________________________________________________________

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.04.06

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Warren :: Computer [administrator]

Protection: Enabled

7/4/2012 8:31:40 PM

mbam-log-2012-07-04 (20-40-08).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 219872

Time elapsed: 8 minute(s), 9 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\Windows\System32\websensecamserver.dll (RootKit.0Access.H) -> No action taken.

Registry Keys Detected: 3

HKCR\sp (TrojanProxy.Agent) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> No action taken.

HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> No action taken.

Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^^ -> No action taken.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\System32\websensecamserver.dll (RootKit.0Access.H) -> No action taken.

(end)

Attach.txt

DDS.txt

[Redirecting, Script Errors, Hidden files (Part Deux)]

Thank you very much for your help, sir!

I will be purchasing MalwareBytes in order to support your efforts and the efforts of the contributors to this forum.

Keep up the outstanding work, and thanks again. I am already in the process of "hardening" this computer.

[Redirecting, Script Errors, Hidden files (Part Deux)]

I should add that the computer does not appear to be acting strangely. I took my computer speakers off mute to see if I could hear any ads that were seemingly sounding out of nowhere, but so far I have noticed nothing.

Is it okay for me to re-enable my AV?

[Redirecting, Script Errors, Hidden files (Part Deux)]

Ok, ran the ATFCleaner and got rid of a bunch of temp files.

I began to run ComboFix and the blue screen came up, shortly after I was notified that I my volsnap.sys file was patched with a rootkit and ComboFix would attempt to fix. I clicked OK and after a moment the program said something to the effect of "Rootkit presence detected, the machine needs to be rebooted."

I allowed it to restart, and after doing so it made the System Restore point and then asked me if I wanted to install the Windows Recovery software. I clicked Yes, but the program said I was not connected to the internet, so I tried again, and it said it could not download the Windows Recovery software, but it would attempt to scan for malware anyway.

It was at that point I realized my router took a dump, so I terminated ComboFix myself so that I could reset the router.

I restarted ComboFix, after which point it notified me that there was a later version than the one I had and asked if I would like to update. I thought this was odd, as I had not been asked to update the first time I ran ComboFix. Regardless, I said yes, it appeared to update, and then said it would restart. It did so, and went through the System Restore and Windows Recovery prompt again; this time the download worked and the program ran through its stages, yielding the following log:

ComboFix 11-04-22.01 - Jennifer 04/22/2011 20:25:36.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1403 [GMT -5:00]

Running from: c:\documents and settings\Jennifer\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Jennifer\Desktop\Windows Recovery.lnk

c:\documents and settings\Jennifer\Start Menu\Programs\Windows Recovery

c:\documents and settings\Jennifer\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk

c:\documents and settings\Jennifer\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk

c:\windows\system32\Thumbs.db

.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))

.

.

2011-04-19 22:51 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-04-19 22:51 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-04-19 22:51 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-04-19 22:51 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-04-19 22:51 . 2011-04-19 22:51 -------- d-----w- c:\program files\Avira

2011-04-19 22:51 . 2011-04-19 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-04-18 23:57 . 2011-04-18 23:57 -------- d--h--w- c:\windows\PIF

2011-04-18 14:44 . 2011-04-18 14:45 102400 ----a-w- c:\windows\RegBootClean.exe

2011-04-18 12:08 . 2011-04-18 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad

2011-04-18 12:07 . 2009-02-24 23:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys

2011-04-18 12:07 . 2011-04-18 12:28 -------- d-----w- c:\program files\MagicDisc

2011-04-18 12:04 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-04-18 11:48 . 2011-04-18 11:48 -------- d-----w- c:\documents and settings\Administrator

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-17 18:45 . 2010-10-19 04:34 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2008-05-07 08:34 . 2009-07-10 22:05 15523560 ----a-w- c:\program files\U1 Setup.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2009-11-07 06:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2009-11-07 06:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]

"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]

"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-17 622592]

"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-01-23 416768]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-4-18 576000]

.

c:\documents and settings\Jennifer\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-4-18 576000]

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]

SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-7-10 376832]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]

2011-03-03 05:18 6449984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/21/2010 2:40 AM 237632]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [10/21/2010 2:40 AM 338880]

R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [10/21/2010 2:40 AM 656320]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/19/2011 5:51 PM 135336]

R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [7/14/2009 2:44 PM 933504]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/10/2009 4:34 PM 1684736]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [10/21/2010 2:39 AM 366840]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx

FF - ProfilePath - c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\om48p4mf.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-22 20:31

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(724)

c:\windows\system32\igfxdev.dll

.

- - - - - - - > 'lsass.exe'(780)

c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

.

Completion time: 2011-04-22 20:34:32

ComboFix-quarantined-files.txt 2011-04-23 01:34

.

Pre-Run: 53,014,810,624 bytes free

Post-Run: 52,980,596,736 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 05ABADB53FB4603A396EE876322149ED

[Redirecting, Script Errors, Hidden files (Part Deux)]

Hi,

First my apologies to elise025 and the OP from This thread for not lurking a little more.

I am having errors on my wife's PC similar to those found in that thread. I "recovered" the hidden files already, but as of this evening I am still getting redirects and random script errors from IE. I have run MBAM and Avira, and I have the log files specified in the tacked thread attached.

DDS.txt:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Jennifer at 18:19:47.76 on Tue 04/19/2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1400 [GMT -5:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\EeePC\ACPI\AsTray.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Jennifer\Desktop\Defogger.exe

C:\Documents and Settings\Jennifer\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe

mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe

mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\jennifer\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe

StartupFolder: c:\docume~1\jennifer\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\jennifer\applic~1\mozilla\firefox\profiles\om48p4mf.default\

FF - plugin: c:\documents and settings\jennifer\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-10-21 237632]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-10-21 338880]

R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-10-21 656320]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-19 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-19 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-19 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-19 61960]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-10 55152]

R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2009-7-14 933504]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-10 1684736]

S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2010-10-21 366840]

S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2010-10-21 1145816]

.

=============== Created Last 30 ================

.

2011-04-19 22:51:02 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-04-19 22:51:00 -------- d-----w- c:\program files\Avira

2011-04-19 22:51:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-04-18 23:57:03 -------- d--h--w- c:\windows\PIF

2011-04-18 23:44:06 -------- d-s---w- C:\ComboFix

2011-04-18 14:44:39 102400 ----a-w- c:\windows\RegBootClean.exe

2011-04-18 12:08:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Geek Squad

2011-04-18 12:07:47 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys

2011-04-18 12:07:46 -------- d-----w- c:\program files\MagicDisc

2011-04-18 12:04:05 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

.

==================== Find3M ====================

.

2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe

.

============= FINISH: 18:20:56.31 ===============

Attach.zip

[Redirecting, Script error, Hidden files]

Hi, new member here.

I have been following this thread for a bit; it appears my wife's computer is affected by the same symptoms.

I, too, had to make the hidden files reappear.

Running combofix yields a windowed blue screen, and there's an error message which says that volsnap.sys is compromised by a rootkit and prompts to fix it. I simply escape at that point without hitting OK. I noticed that running combofix also runs about 3 or 4 iexplore.exe processes which I kill with a process manager.

Same with lizzie, when attempting to run TDSSkiller it fails to run, even after renaming filename and extension.

Ran GMER and came up with a log, would it be okay for me to post it in this thread, too?