BleepingComputer.com: Infected with a trojan proxy agent

I saw a thread similar to the problem I'm experiencing and conventional methods of removing what I think is a rootkit have not been fruitful. I'm hoping that I can get this problem cleared up as it seems to effect my internet connection and any attempts I make to visit the URL of a site I searched for on google redirects me to a phony site. I've also noticed tabs opening, seemingly at random, to a bogus malware site. Hopefully I've come to the right place and am following the proper procedures, but if not feel free to point me in the right direction.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Connor at 3:43:27.06 on 01/08/2011 Sat
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Ultimate 6.1.7600.0.932.81.1033.18.3054.1547 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
svchost.exe 4
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Windows\system32\STacSV.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
svchost.exe 4
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Chatango\Chatango.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Connor\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2790392
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Chatango] c:\program files\chatango\Chatango.exe
uRun: [BitTorrent] "c:\program files\bittorrent\BitTorrent.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\connor\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
SecurityProviders:

================= FIREFOX ===================

FF - ProfilePath - c:\users\connor\appdata\roaming\mozilla\firefox\profiles\nsa8hwuz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=ConduitEngine&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CTXXXX&q=
FF - component: c:\users\connor\appdata\roaming\mozilla\firefox\profiles\nsa8hwuz.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: Add N Edit Cookies: {038dc421-b19e-4711-a218-1fd10de9163b} - %profile%\extensions\{038dc421-b19e-4711-a218-1fd10de9163b}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-6 239648]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2009-6-30 206336]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42368]
R3 netr28u;Belkin USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-8-5 750592]
R3 xcbdaNtscV;ViXS Tuner Card (NTSC) - V;c:\windows\system32\drivers\xcbdaV.sys [2009-6-10 157568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-2-8 25832]
S3 SrvHsfPCIe;SrvHsfPCIe;c:\windows\system32\drivers\VSTBS33.SYS [2009-7-13 205824]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-28 1343400]

=============== Created Last 30 ================

2011-01-08 07:59:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 07:59:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 07:59:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-07 21:55:38 -------- d-----w- c:\program files\common files\3DO Shared
2011-01-07 21:55:38 -------- d-----w- c:\program files\3DO
2011-01-07 21:51:49 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-01-07 04:48:12 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{265511d9-62ea-416a-a8ad-7ae18830c4ef}\mpengine.dll
2011-01-03 05:39:26 -------- d-sh--w- C:\$RECYCLE.BIN
2011-01-03 05:31:03 98816 ----a-w- c:\windows\sed.exe
2011-01-03 05:31:03 89088 ----a-w- c:\windows\MBR.exe
2011-01-03 05:31:03 256512 ----a-w- c:\windows\PEV.exe
2011-01-03 05:31:03 161792 ----a-w- c:\windows\SWREG.exe
2011-01-03 05:30:56 -------- d-----w- C:\Combo-Fix
2011-01-03 05:11:25 -------- d-----w- c:\program files\Alcohol Soft
2011-01-03 04:37:14 -------- d-----w- c:\users\connor\appdata\roaming\DAEMON Tools Pro
2011-01-03 04:37:14 -------- d-----w- c:\progra~2\DAEMON Tools Pro
2011-01-01 22:05:31 -------- d-----w- c:\windows\{0D59735E-1DA7-4E6D-B1CC-44A4F59FD0FD}
2010-12-29 06:22:55 -------- d-----w- c:\program files\あかべぇそふとつぅ
2010-12-29 00:53:49 21644 ----a-w- c:\progra~2\microsoft\windows\start menu\programs\あかべぇそ・よやぅ\橈恋ゎ国∥戛日葵ゎ少女\[051125](NoDVD) Sharin ver1.00.EXE
2010-12-28 19:23:46 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-12-28 19:15:33 -------- d-----w- c:\program files\BitTorrent
2010-12-28 19:14:50 -------- d-----w- c:\users\connor\appdata\roaming\BitTorrent

==================== Find3M ====================

2010-10-17 03:24:52 70144 --sha-r- c:\windows\system32\KBDKHMRO.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F98446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f9e504]; MOV EAX, [0x86f9e580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82E7E458] -> \Device\Harddisk0\DR0[0x86F73170]
3 CLASSPNP[0x8B79A59E] -> ntkrnlpa!IofCallDriver[0x82E7E458] -> [0x870A1C30]
\Driver\iaStorV[0x86F72580] -> IRP_MJ_CREATE -> 0x86F98446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; STD ; CLD ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x620; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 3:44:33.88 ===============

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



Thanks.

DR

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.