Infected with Antivirus 2009 - have run malware scans, but DNS still redirected for security sites etc

http://www.malwareteks.com/FixIEDef.php

I do believe this is the tool i used to remove this

Use Spybot to check winsock entries. Although you reset winsock, malware may be running on bootup and modifying winsock.

Thanks very much for your suggestions.

I will attempt removal with the above tools, but what I really wanted to understand was where I would look manually for evidence of corruption/tampering with the DNS resolution process.

Spybot & AdAware both list locations and registry entries when detecting malware but 'one fix' tools such as the above do not always detail what they are removing and if they do, have sometimes been 'out-of-date' fix versions. In addition, there were several other infections identified by Spybot and therefore my problem is not necessarily caused by Antivirus 2009. I have already looked at two removal
processes where the resgistry entries were not present in the affected PC.

Whilst I do need to remove the infection, what I really want to know is how I investigate the DNS setup  on the affected PC to determine where the re-direction is occurring if the removal tools have not identified the correct causes(s). If the Hosts file is good, and the DNS address is correct, what else is tinkering with the resolution?    

firstade, you can also try looking at the TCP/IP Properties to see if it anything is listed under the DNS or WINS section. To do this go to Start > Settings > Control Panel > Network Connections. Click on Properties and then scroll down to Internet Protocl (TCP/IP) and double click on it. Click on Advanced button. Then go to the DNS and WINS tabs to see if anything is added there.

You might also want to check your Internet Explorer proxy to make sure nothing bad was entered there. To do this, go into Internet Explorer > Tools > Internet Options > Connections tab and click on the LAN Settings button. If your network doesn't use a proxy, make sure it's all clear in there.

If the Hosts file is good, and the DNS address is correct, what else is tinkering with the resolution?  -----> Check winsock entries as previously suggested. Spybot has a good tool for viewing winsock entries.

The tool that i gave use gives a detailed log after removal if that helps

I believe that these two infected files are what you are looking for shlwapi.dll and
wininet.dll

This is a complete list of infected files

http://www.windowsvistaplace.com/antivirus2009-antivirus-2009-removal-instructions/spyware-removal

Yes, Some trojans will modify the TCP/IP settings to point to a different DNS server, similar to Qhosts trojans.

I had previously checked the winsock entries with Sysinternals Autoruns, and Spybot - all entries are signed by Microsoft. The TCP/IP settings for the network connection are Auto DNS, and no WINS addresses are specified.

I am going ahead with the 'removal' using the tools specified above -  and hopefully if successful, the log(s) will identify the rogue components. I will let you know!

Ok - Results:

FixIEDef did not resolve the problem - log attached.
MalwareBytes did find the problem - a service called tdssserv and associated registry entries which include IP addresses (presumably the 'new' DNS addresses?).
(There are other registry entries that Malwarebytes did not find for 'tdss' for loading it during Safe boot).    

a) Can anyone shed more light on how this service was operating (using tdssserv.sys??) when
the NSLOOKUP resolved to 192.168.100.1 (my router)
b) Why was the TDSS service not shown in the HIJACK log?

FixIEDef log -
********************************************************************************
*                                                                              *
*                                 FixIEDef Log                                 *
*                              Version 1.5.4.6026                              *
*                                                                              *
********************************************************************************

Created at 19:50:49 on Tuesday, August 19, 2008

Time Zone         : (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Logged On User    : Denton

Operating System  : Microsoft Windows XP Home Edition Service Pack 2
OS Version        : 5.1.2600
System Langauge   : English (United States)
Keyboard Layout   : English (United States)
Processor         : X86 Intel(R) Celeron(R) M processor         1.60GHz

System Drive      : C:\
Windows Directory : C:\WINDOWS
System Directory  : C:\WINDOWS\system32

Total Physical Memory : 981168 KB
Free Physical Memory  : 599716 KB
Total Virtual Memory  : 2097024 KB
Free Virtual Memory   : 2011252 KB

Boot State        : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\LuResult.txt

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :)

ShadowPuterDude

Safe Surfing!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Malwarebytes log -

Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 2

22:57:41 19/08/2008
mbam-log-08-19-2008 (22-57-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 85940
Time elapsed: 15 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\AV9 (Rogue.Antivirus2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\PCHealthCenter\0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\4.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\5.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\AV9\av2009.exe (Rogue.Antivirus2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080811205939687.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080811212255390.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080811214330109.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080812102404093.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\avm.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denton\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Registry Keys:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\tdss]
"build"="alpha9"
"type"="standart"
"errors_url"="http://stableclick.com/ctl/errors.php"
"cmddelay"=dword:00015180
"serversdown"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\tdss\connections]
"75.125.49.243"=hex(0):
"70.86.6.242"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed]
"gmer.sys"=hex(0):
"mbamswissarmy.sys"=hex(0):

[HKEY_LOCAL_MACHINE\SOFTWARE\tdss\injector]
"*"="tdssadw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\tdss\version]
"http://updatemicr0s0ft.net/ctl/get.php?file=cmds/init"="2.1"
"http://stableclick.com/ctl/get.php?file=cmds/init"="2.1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata]
"affid"="42"
"subid"="v2test2"
"control"=hex:1c,04,10,10,1f,11,16,1a,1e,1b,12,54,18,13,10
"prov"="10010"
"googleadserver"="pagead2.googlesyndication.com"
"flagged"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=hex(2):5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
  00,69,00,76,00,65,00,72,00,73,00,5c,00,74,00,64,00,73,00,73,00,73,00,65,00,\
  72,00,76,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv\Enum]
"0"="Root\\LEGACY_TDSSSERV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\tdssserv.sys]
@="driver"

Use combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Hi rpgamergirl

Sorry if i am being dense - Malwarebytes has restored correct DNS processing. Is ComboFix for the other registry entries (related to TDSS infection but now benign?)  

Actually I screwed up I didn't read further along, when you said that FixIEDef did not work, and tdssserv was present I then suggested combofix.
tdssserv.sys <-- is a rootkit that combofix also takes care of.
The service not showing in Hijackthis could be because it was a hidden service.
Combofix can delete the registry entries(cfscript) but you can also manually delete those yourself.
 

Ok - tdssserv removed (see log)
ComboFix and New HJT log below.

Please could you shed some light or point me in the direction of an article that explains how the tdss* related drivers and services have modified the DNS search. If the IP addresses shown in the registry keys above were substituted for the correct ones, where would I query them? NSLOOKUP?

Also, why does TDSS service not appear in original HJT log?
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ComboFix 08-08-18.05 - Denton 2008-08-20 11:05:03.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.496 [GMT 1:00]
Running from: C:\Documents and Settings\Denton\Desktop\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Denton\Application Data\inst.exe
C:\Documents and Settings\Denton\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\drivers\etc\hosts.bak2

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


(((((((((((((((((((((((((   Files Created from 2008-07-20 to 2008-08-20  )))))))))))))))))))))))))))))))
.

2008-08-19 20:30 . 2008-08-19 20:31      <DIR>      d--------      C:\Program Files\Malwarebytes' Anti-Malware
2008-08-19 20:30 . 2008-08-19 20:30      <DIR>      d--------      C:\Documents and Settings\Denton\Application Data\Malwarebytes
2008-08-19 20:30 . 2008-08-19 20:30      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-19 20:30 . 2008-08-17 15:01      38,472      --a------      C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-19 20:30 . 2008-08-17 15:01      17,144      --a------      C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 15:32 . 2008-08-18 15:32      <DIR>      d--------      C:\Program Files\Trend Micro
2008-08-18 14:58 . 2008-08-18 14:58      0      --a------      C:\WINDOWS\nsreg.dat
2008-08-18 14:29 . 2008-08-18 14:29      <DIR>      d--------      C:\Program Files\Lavasoft
2008-08-18 14:29 . 2008-08-18 14:29      <DIR>      d--------      C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 14:29 . 2008-08-18 14:32      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-18 13:03 . 2008-08-18 13:01      3,177,440      --a------      C:\spybotsd_includes.exe
2008-08-18 09:38 . 2001-08-17 13:48      12,160      --a------      C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-18 09:38 . 2001-08-17 13:48      12,160      --a--c---      C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-15 18:01 . 2008-08-19 23:21      <DIR>      d--------      C:\WINDOWS\system32\drivers\Avg
2008-08-15 18:01 . 2008-08-15 18:01      <DIR>      d--------      C:\Program Files\AVG
2008-08-15 18:01 . 2008-08-15 18:16      <DIR>      d--------      C:\Documents and Settings\Denton\Application Data\AVGTOOLBAR
2008-08-15 18:01 . 2008-08-15 18:01      96,520      --a------      C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-15 18:01 . 2008-08-15 18:01      76,040      --a------      C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-15 18:01 . 2008-08-15 18:01      10,520      --a------      C:\WINDOWS\system32\avgrsstx.dll
2008-08-15 17:57 . 2008-08-15 17:57      <DIR>      d--------      C:\Program Files\Microsoft Silverlight
2008-08-15 17:53 . 2008-05-01 15:30      331,776      -----c---      C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 17:26 . 2008-08-15 17:26      <DIR>      d--------      C:\Program Files\Spybot - Search & Destroy
2008-08-15 17:26 . 2008-08-20 10:27      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-15 17:25 . 2008-08-15 17:25      <DIR>      d--------      C:\Program Files\CCleaner
2008-08-15 17:23 . 2008-06-06 04:18      <DIR>      d--------      C:\Documents and Settings\Administrator\WINDOWS
2008-08-15 17:23 . 2008-06-06 04:17      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\toshiba
2008-08-15 17:23 . 2005-12-08 18:25      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-15 17:23 . 2008-06-06 04:17      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Sonic
2008-08-15 17:23 . 2008-08-15 18:02      <DIR>      d--------      C:\Documents and Settings\Administrator
2008-08-12 10:38 . 2008-08-12 16:46      <DIR>      d--------      C:\Documents and Settings\Denton\Application Data\McAfee
2008-08-11 20:58 . 2008-08-11 20:59      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\services
2008-08-11 19:20 . 2008-08-11 19:20      1,432      --a------      C:\WINDOWS\crrqdtn48.ini
2008-08-01 18:11 . 2008-08-01 18:11      40      --a------      C:\Auth.prof
2008-07-23 22:44 . 2006-03-03 08:07      143,360      ---------      C:\WINDOWS\system32\dunzip32.dll
2008-07-23 22:38 . 2008-08-12 16:49      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\McAfee

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 17:01      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\avg8
2008-08-12 16:19      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-02 08:41      ---------      d-----w      C:\Program Files\lx_cats
2008-08-02 08:39      ---------      d-----w      C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-07-19 12:02      ---------      d-----w      C:\Program Files\Google
2008-07-17 11:40      ---------      d-----w      C:\Program Files\Sky Broadband
2008-07-11 15:57      ---------      d-----w      C:\Program Files\Common Files\Adobe
2008-07-11 15:56      ---------      d-----w      C:\Program Files\Common Files\Adobe Systems Shared
2008-07-07 20:06      253,952      ----a-w      C:\WINDOWS\system32\es.dll
2008-07-05 13:29      ---------      d-----w      C:\Program Files\Common Files\Adobe AIR
2008-07-05 13:12      47,360      ----a-w      C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-05 13:12      47,360      ----a-w      C:\Documents and Settings\Denton\Application Data\pcouffin.sys
2008-07-05 13:12      ---------      d-----w      C:\Documents and Settings\Denton\Application Data\Vso
2008-07-05 09:48      4,815,653      ----a-w      C:\WINDOWS\Indiana_.scr
2008-07-05 09:48      235,600      ----a-w      C:\WINDOWS\uninstall Indiana_.exe
2008-07-02 20:12      ---------      d-----w      C:\Program Files\Advanced JPEG Compressor
2008-07-02 20:12      ---------      d-----w      C:\Documents and Settings\Denton\Application Data\zweitgeist
2008-07-02 16:19      ---------      d-----w      C:\Program Files\WebSupergoo
2008-06-30 23:01      34,308      ----a-w      C:\WINDOWS\system32\Chip.dll
2008-06-28 07:15      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-27 19:55      ---------      d-----w      C:\Program Files\Microsoft Works
2008-06-27 13:45      ---------      d-----w      C:\Documents and Settings\Denton\Application Data\Ahead
2008-06-27 13:36      ---------      d-----w      C:\Documents and Settings\Denton\Application Data\FaxCtr
2008-06-26 19:23      ---------      d-----w      C:\Program Files\Lexmark Toolbar
2008-06-26 19:15      ---------      d-----w      C:\Program Files\Lexmark Fax Solutions
2008-06-26 19:15      ---------      d-----w      C:\Program Files\Lexmark 3400 Series
2008-06-26 19:14      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\FaxCtr
2008-06-24 16:23      74,240      ----a-w      C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57      826,368      ----a-w      C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41      245,248      ----a-w      C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45      360,320      ----a-w      C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44      138,368      ----a-w      C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52      225,920      ----a-w      C:\WINDOWS\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 12:26 65536]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-07-17 14:50 2599224]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 10:39 149040]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-05 21:33 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 23:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 23:26 688218]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-12-08 13:53 352256]
"Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [2005-11-30 13:25 73728]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 11:31 118784]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-08-30 12:53 1077329]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-01 06:10 122940]
"fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-12-17 11:12 243240]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-04 10:59 161328]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2006-03-06 18:48 286720]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [2006-02-07 06:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 09:11 290816]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 12:54 65536]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-15 18:01 1232152]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-10 19:14 15473664 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 14:29 88203 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-08-03 15:26 266240 C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-06-05 21:33:48 125176]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 23:23:00 53317]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders      msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7906:TCP"= 7906:TCP:BitComet 7906 TCP
"7906:UDP"= 7906:UDP:BitComet 7906 UDP
"25711:TCP"= 25711:TCP:BitComet 25711 TCP
"25711:UDP"= 25711:UDP:BitComet 25711 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-15 18:01]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-15 18:01]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-15 18:01]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-15 18:01]
R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 13:53]
R2 fsssvc;Windows Live OneCare Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 11:13]
R3 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2006-02-20 20:23]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Denton\Application Data\Mozilla\Firefox\Profiles\336j03un.default\
FF -: plugin - C:\Program Files\Google\Google Updater\2.1.886.21021\npCIDetect11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_04\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_04\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_04\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_04\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_04\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_04\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 11:08:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Denton\LOCALS~1\Temp\tzk3.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-20 11:10:29 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-20 10:10:22

Pre-Run: 49,285,365,760 bytes free
Post-Run: 49,274,630,144 bytes free

202      --- E O F ---      2008-08-19 06:54:44
     
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:52, on 20/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212699456134
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212699446741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: lxcy_device -   - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 9162 bytes

rpggamergirl -

Yes -
Malwarebytes removed the service (and restored correct DNS processing).
ComboFix appears to have removed the remaining TDSSSERV registry entries.  
I did wonder about hidden services but didn't put two and two together. So many people post HJT logs online that it seems daft that all you have to do to avoid detection is to hide your service! I notice that
Malwarebytes removed a number of hidden directories too (AV9 etc).

I have added Malwarebytes, FixIEDef and ComboFix to my arsenal of tools.
Rootkit searches should help to identify hidden objects (I note that AVG free greyed out Rookit scanning)

For your points (as in my original question), how to I interrogate my DNS environment to determine which servers are being used (e.g the ones in the TDSS registry entry) -
HKEY_LOCAL_MACHINE\SOFTWARE\tdss\connections]
"75.125.49.243"=hex(0):
"70.86.6.242"=hex(0):

NSLOOKUP pointed to my router (192.168.100.1). Is this meaningful, or was the DNS server address dynamically substituted by TDSSSERV.sys or similar component?    

Sorry for my late reply.

Here's a writeup on that rootkit, see if it answers some of your questions.
http://www.threatexpert.com/report.aspx?uid=7c1ed8e8-aed9-4adc-a6c8-24d5956de9e3

Thank you, but did you actually review it? It is a comprehensive list of what the infection contains, but there is absolutely no information about how it works, no information about rootkit infections, and no information about DNS modifications.  

Sorry, no, I don't know how that rootkit or trojan function. Hope someone knows and post here.

I am grateful to rpgamergirl and others for their input, which has enabled me to remove the infection(s).
However, my original question remains unanswered.

Given that the iinfection was from multiple sources, not just XP Antivirus, and that the prominent problem was probably due to the DNS changer infection, I originally asked how the "DNS modification" was being done and how I could interrogate my TCP/IP and/or DNS environment to determine what DNS values were actually being used (DNS lookup resolved to 192.168.100.1 - my router)

The IP addresses in the removed TDSS infection (see MBAM log) are likely candidates for the redirection values, and if I could have determined that these values were actually being used (and therefore not my router or ISP DNS addresses), I could have searched the registry manually and found evidence of the TDSS infection.  This would have enabled me to then search more intelligently for a removal tool that was relevant to the infection, and not just run Spybot et al in the search for a cure.

I see that I can accept multiple solutions, but is it possible to award partial points now and await a  further solution?      
 

Vee Mod

Perhaps it was my mistake too. I thought I had selected appropriate zone(s) when I opened the question!
I am happy to close this and ask a related question (can't see how I do this?).  

Your comment regarding expert filtering is very interesting. I selected 250 points as the problem was not very urgent. However, as you point out, this may have hindered me finding a solution. Perhaps it is a fact of life that we 'askers' must compete for experts attention, but it seems wrong that people in need of help have to outbid their peers in order to get noticed :-)

I award 250 points to rpggamergirl (sorry for mis-spelling your name twice!!) and am off to ask that related question. Thank you to all who took the time to help.  

Thanks for hangin' in there. I only marked it good coz the removal solution wasnt what I actually needed but obviously it did the job. Ta very much.  

Ok - found the related question link now!!!

Sorry I couldn't be of much help.

Thanks for the points, very kind of you, I appreciate it.