---I got up early this morning and logged into my desktop. While rubbing my eyes, I clicked the Okay for the Flash Player Update that I knew better than to click due to warnings 3 months ago, then I clicked the okay for restarting Firefox so the installation of the plug-in could finish and low and behold, when I restarted firefox, search result pages had been hijacked (obvious by the different font) and the browser was redirected to sites such as realsimple dot come, hxxp://184.108.40.206, hxxp/wwwmoevenpickhotels dot com, filterchemical. dot com and from the beginning, which most infected people's systems are showing most often, local-news-online dot com.
---I can't access Safe Mode to try and perform the usual procedures for disinfecting either. When I tried safe mode originally, the system rebooted after loading Windows drivers. I disabled reboot on errors (via F8) and on the next attempt to boot to Safe Mode, received the address 0x0000007E (0xC0000005, 0x0122C000, 0x0122C000, 0xF789E504, 0xF789E200)... If anyone sees anything there.
---Searching Google for local-news-online dot com led me to Dr.Web Scanner and results show BackDoor.tdss.565 in C:\WINDOWS\system32\svchost.exe:1204 (earlier is was 1608 IIRC). Dr.Web Scanner shows it was eradicated, so I guess that is why the Select All | Cure | Rename | Move | Delete buttons are grayed out, but even changing settings to delete the infected file prove futile, restart system and it's there again. System Restore is disabled.
---Oh yeah, no C: or D: drive is visible in Disk Management and they were before. They are not hidden when looking in Explorer though. C: is OS and D: is storage.
---My PC seems to be locking up when performing the RootRepeal scan, cursor/pointer freezes and active HDD LED is steady glow, so I am going to post the first 2/3 of the requested logs (DDS & Attach) while I let it sit and finish. Maybe it's something to do with over-abundance of drivers or maybe it is* locking up.
---Preempt Thank Yous also.
---Okay, no luck with RootRepeal. Left it running since just* after I posted the topic and it was locked up tight. Sysinternal's RootkitRevealer is running now JIC that will do.
edit morning of 12/17/09:
---Still can't get RootRepeal to run without the system locking up. Reinstalled Avast, ran thorough boot scan and came back to run Dr.Web again and find :
setupyaheh.zip;V:\Old PC\Desktop\My_Stuff\Images\Scout;Archive contains infected objects;;
setupyaheh.exe;V:\Old PC\Desktop\My_Stuff\Images\Scout;Archive contains infected objects;;
Process in memory: C:\WINDOWS\system32\svchost.exe:1200;;BackDoor.Tdss.565;Eradicated.
---Is this yahelite.new/exe a so-called "false positive" like everyone is claiming or is this program infected and laying dormant? Does this forum explain the possibility or is it another "guess" that this is a false positive? I have no clue how viruses work so reading the results is like Navajo to me.
Edited by Grrrrrrrr, 17 December 2009 - 05:52 AM.