I'm not sure which browser was opened first, IE or Firefox, but neither operates correctly and I was only able to reach this site through Chrome - which I'm afraid to close now. Attempted to clean myself with AVG and an old Trend Micro subscription; neither worked. A DDS log is below:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by HP_Administrator at 0:13:40.00 on Mon 04/04/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.948 [GMT -7:00]
.
AV: Trend Micro Titanium Internet Security *Disabled/Outdated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DISC\DISCover.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\Titanium\UIFramework\VizorHtmlDialog.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\HouseCall\housecall.bin
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = <local>
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [Ÿ]
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [Ijedidarexow] rundll32.exe "c:\windows\ipisiholuhuziqi.dll",Startup
Trusted Zone: trymedia.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\diu6s1h9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FoxClocks: {d37dc5d0-431d-44e5-8c91-49419370caa1} - %profile%\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\firefoxextension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: XULRunner: {6A94D315-55DB-461B-807A-FE485C99F17B} - c:\documents and settings\hp_administrator\local settings\application data\{6A94D315-55DB-461B-807A-FE485C99F17B}
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250824AS rev.3.AHH -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8934AECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xaf71e879; SUB DWORD [EBP-0x4], 0xaf71e135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8A478AB8]
3 CLASSPNP[0xBA10905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\00000077[0x8A54C9E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A4EF940]
[0x8A54AD20] -> IRP_MJ_CREATE -> 0x8934AECC
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskST3250824AS_____________________________3.AHH___#5&24a390b2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8934AAF1
user & kernel MBR OK
sectors 488397166 (+143): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 0:15:06.23 ===============
EDIT NOTE: I read a similar post and used the Kaspersky (sic) TDSSKiller for rootkit removal...it worked fast and complete. I've also updated all of my security patches and installed a high grade AV. While I know that my system is still vulnerable since it has been attacked once; it does allow me to access the internet again and I believe I've learned my lesson.