Jump to HijackThis Scan Results
Initial symptoms:
-IE redirects from Google search results;
-Fake Windows security balloon and dialogue box warning of infected system and prompting to click and have "Windows" download software to fix infection;
-Windows Disc Defragmenter GUI initialized but Analyze and Defragment buttons both yielded a dialogue box "Defragmenter could not start";
-Windows Task Manager would not load;
-BSOD "Driver_irq_not_less_or_equal" crashes, for the most part, at random, but when clearing cache with CCleaner, clicking the "Clear" command button was guaranteed to immediately cause the same BSOD;
-Spybot SD would not update and initializing caused same BSOD described above
-Zone Alarm (free) would initialize, but GUI failed to load
-Slow system performance
-Numerous Command Prompt windows loaded prior to Windows Explorer loading
What I've done so far:
-When I first noticed the command prompt windows, I was finally able to gain some control over my computer. I took notice of the name of the executable running the command scripts: ntvdm.exe. I searched for all files (hidden, etc) and found three instances. I deleted the 2 that were not the legitimate Windows OS file (Properties - Compatibility: Valid Windows OS files' compatibility cannot be set, the rogue files' compatibility can).
Then I attempted to run Spybot SD. Initialization caused one more BSOD. Upon reboot, I chose not to close the Error Report Dialogue box and for some reason, I was able to run a full scan with Spybot and found multiple infections (Password stealers, TDSS rootkits, backdoor trojans, adware, and others). I was not able to update Spybot at this time however. After the scan, I rebooted and everything was back to normal except:
-CCleaner caused BSOD "Driver_irq_not_less_or_equal"
-Defrag still wouldn't work
-IE still redirected links in Google search results (Firefox never gave me a problem this whole time)
Then I downloaded Malwarebytes AntiMalware, ran a full scan, fixed the problems found, rebooted, and defrag was working again and CCleaner no longer caused the BSOD. However, IE still was redirecting the links in Google searches. So I again ran Spybot (now able to update from TeaTimer's right-click menu from taskbar) but nothing serious found in Spybot scan. I then ran MBAM again, and it found the same TDSS Rootkit it found before. Finally, I downloaded HijackThis, scanned, and saved the .log file in order to get some help from someone this forum.
Please note: I've also already downloaded gmer.exe and performed a rootkit scan as prescribed by helpers in other, similar posts from this forum. All I have done thus far with gmer.exe is generate a .txt file and .log file of the rootkit scan performed (the "Show All" check box was not ticked).
Anyway, here is my HijackThis scan:
Scan saved at 12:48:24 PM, on 9/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 3474 bytes
Thanks again.