I have been scanning the forums for hours and noticed that this post BELOW is the exact same problem I have after running Dr Web............
Quote
Like a few others that have been before me, I have feel victim to the Backdoor.TDSS.565 virus, at least that is what Dr. Web is calling it. Like the others, Dr. Web claims to remove it, but it returns in the very next process that is run on the machine. Also I am be re-directed from any favorites or any clicks from a google search.
Others with a similar problems have claimed to fix it but their post do not give an indication on what needed to be done to make that happen.
I have read the first part and am familiar with most as I do this for a living, but the advanced stuff i will leave to you, if you will help me finish this
Here is my log of GMER. If you want me to start fresh with OTL, I will do this
I have run every program available in safe mode and removed stuff for a week, but as soon as its online again, I get a Generic Windows Services 32 errors, which shows is related to (mshtml.dll) and also an Ntdll) which i see listed in GMER log below
Thanks in advance
JB
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-28 08:56:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD5000AAKS-75A7B2 rev.01.03B01
Running: rgclexyg.exe; Driver: C:\DOCUME~1\Spencer\LOCALS~1\Temp\agtoapoc.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[164] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B5000A
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00C6000A
.text C:\WINDOWS\Explorer.EXE[1464] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B4000C
.text C:\WINDOWS\System32\svchost.exe[1776] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[1776] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00CB000A
.text C:\WINDOWS\System32\svchost.exe[1776] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 007F000C
.text C:\WINDOWS\System32\svchost.exe[1776] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D7000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0104000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0136000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1940] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0103000C
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8AFCF39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8AFCF39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8AFCF39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8AFCF39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8AFCF39B
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD5000AAKS-75A7B2___________________01.03B01#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- EOF - GMER 1.0.15 ----