Seeking guidance - infected system, run tdsskiller or other path?

[Pellaz]

Hey Forum I am hoping someone is able to offer some guidance for me on my current woes - it would be very appreciated.

MSE alerted me to a threat yesterday - cleaned, rebooted, and everything seemed fine. The same happened again this morning - sadly, I was fairly occupied, and just hoped to wave it away without further investigation, so I chose to clean the file, and reboot - the deeper issues became evident then.

I began to get pop-ups and false alerts from a fake malware program called "Windows Defender"

I was unable to install and run Malwarebytes Anti-Malware - this has remained consistent throughout the day. I can install it, and if I rename the executable, it will attempt to run, but it returns a 0 then a 440 error.

I was only able to run Spybot S&D through the SRC file - this found several entries that I was able to remove for Windows Defender, but I was left with a more insidious issue.

Now my computer is grinding often, and is trying to access 76.191.100.17:HTTP through iexplore.exe once every 30 seconds or so.

I cannot activate resident protection on any AV software. I have been able to perform a scan before boot a few times, but they have been unsuccessful.

(Note - I am still working on getting a full log saved for GMER - I've been before I've been able to though to date. I have included a screenshot, though, in attach.zip that shows the only two red values I've seen so far (up to program files\P). I understand that there is probably a lot of other helpful and relevant information in there, so I will continue to try and post here if/when I'm able to get a scan saved.

Any advice would be greatly appreciated.

DDS (Ver_09-12-01.01) - NTFSx86

Run by Administrator at 0:10:54.76 on Wed 01/13/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1126 [GMT -6:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TVersity\Media Server\MediaServer.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\WallpaperToy\Wallpapertoy.Exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\iPod\bin\iPodService.exe

c:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com

uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com

uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll

TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [startupDelayer0] "c:\program files\jockersoft\startup delayer\startupdelayer.exe" -file="c:\documents and settings\administrator\my documents\startuptest.xml" -ui=1

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe

mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"

mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\wallpa~1.lnk - c:\program files\wallpapertoy\Wallpapertoy.Exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ybgc9za2.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&refresh=1|http://digg.com/|http://www.fark.com/

FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ybgc9za2.default\extensions\{916ab64c-bc3e-471b-8e60-29551922a7ba}\components\Engine.dll

FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ybgc9za2.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll

FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll

FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ybgc9za2.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npDimdimControl.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-12 64288]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-12 114768]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-1-16 353672]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-12 20560]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2008-3-4 34128]

R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-12 138680]

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-12 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-12 352920]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2009-12-27 25832]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]

S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\turbine\turbine download manager\TurbineMessageService.exe [2009-9-10 267760]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2009-9-10 218608]

=============== Created Last 30 ================

2010-01-13 06:10:24 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-01-13 01:47:01 1386496 ----a-w- c:\windows\system32\msvbvm60.dll

2010-01-13 01:45:36 0 d-----w- C:\UBCD4Win

2010-01-12 23:39:20 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-01-12 23:15:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-12 23:15:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-12 23:15:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-12 22:44:30 0 d-----w- c:\docume~1\admini~1\applic~1\AVG8

2010-01-12 22:22:51 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-01-12 22:14:07 1386496 ----a-w- c:\windows\msvbvm60.dll

2010-01-12 20:46:54 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-01-12 20:43:10 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

2010-01-12 20:43:02 0 d-----w- c:\program files\Lavasoft

2010-01-12 20:33:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-12 20:25:57 1036 ----a-w- c:\windows\wininit.ini

2010-01-12 19:23:16 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-12 16:04:09 0 d-----w- c:\documents and settings\administrator\.dvdcss

2010-01-12 16:00:51 0 d-----w- c:\program files\PS3 Media Server

2010-01-12 00:48:06 0 d-----w- c:\docume~1\admini~1\applic~1\HandBrake

2010-01-12 00:48:03 0 d-----w- c:\program files\Handbrake

2010-01-12 00:44:21 0 d-----w- c:\docume~1\admini~1\applic~1\Red Kawa

2010-01-12 00:44:10 0 d-----w- c:\program files\Regensoft

2010-01-12 00:44:07 0 d-----w- c:\program files\AviSynth 2.5

2010-01-11 00:27:40 0 d-----w- c:\program files\DVD Decrypter

2010-01-10 19:32:27 327 ----a-w- c:\windows\system32\tversity.cookies

2010-01-10 19:29:57 0 d-----w- c:\program files\ffdshow

2010-01-10 19:27:48 0 d-----w- c:\program files\TVersity Codec Pack

2010-01-10 19:27:30 0 d-----w- c:\program files\TVersity

2010-01-07 15:55:33 0 d-----w- c:\docume~1\admini~1\applic~1\DVDFab

2009-12-28 01:39:37 0 d-----w- c:\docume~1\alluse~1\applic~1\BioWare

2009-12-17 18:01:36 0 d-----w- c:\program files\Citrix

2009-12-17 18:01:03 60744 ----a-w- c:\documents and settings\administrator\g2mdlhlpx.exe

2009-12-16 02:07:59 0 d-----w- c:\program files\Mystery Case Files - Dire Grove

==================== Find3M ====================

2009-11-17 20:03:15 87608 ----a-w- c:\docume~1\admini~1\applic~1\inst.exe

2009-11-17 20:03:15 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2009-11-17 20:03:15 47360 ----a-w- c:\docume~1\admini~1\applic~1\pcouffin.sys

2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-27 03:21:51 2544 ----a-w- c:\windows\system32\ealregsnapshot1.reg

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-15 16:28:26 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-10-15 16:28:26 119808 ----a-w- c:\windows\system32\t2embed.dll

2008-06-09 02:56:13 0 ------w- c:\program files\temp01

2007-12-04 07:53:00 4308992 ------w- c:\program files\mplayerc.exe

2002-08-01 01:55:12 108 --sh--w- c:\windows\WSYS049.SYS

2008-10-03 06:01:05 8 --sh--r- c:\windows\system32\ADE85051A1.dll

2008-08-31 15:51:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083120080901\index.dat

============= FINISH: 0:12:07.75 ===============

[Pellaz]

Oops - my attachment didn't go through properly it looks like, I will try reposting, thank you to anyone who checks this thread even with the reply Attach.zip

[Pellaz]

Update (good): I was able to get MAB running after following these directions: http://www.malwarebytes.org/forums/index.php?showtopic=12709 I think I am in the clear now, but would appreciate a heads up if there are any pitfalls I should be wary of in the aftermath of this experience.