Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown virus blocks all search engines and AV/malware software


  • This topic is locked This topic is locked
2 replies to this topic

#1 brokenman

brokenman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 13 August 2009 - 12:10 AM

Earlier today...about 12 long hours ago...I had a sudden string of non-stop, hard-to-kill pop-ups while browsing using IE7. Most of them were fake anti-virus alert pop-ups. As soon as I got all the pop-ups killed, I tried to run malwarebytes but it would not run (no error, no window, nothing happened). I then ran ccleaner just to clear out the cache in hopes it was something simple. I then decided to run a full AV scan using Trend Micro which is my default AV software and firewall. It would not run either - the interface would not open, no errors given. I ran Hijack but didn't see anything odd (although I am not an expert obviously). Then the fun began...

I searched for something on google using IE7. The google.com page is fine and I can type in my search terms but hitting enter returns a blank white page. I did a little experimenting with various search engines (google, yahoo, MSN/bing, altavista, and dogpile) with IE7, Firefox, and Opera. In every case, the same result - blank white page when search results are expected. In Firefox and Opera, I can see the search results if I set page style to "no style" (Firefox) or to "user mode" (Opera). Any web page that is not search results is fine.

I checked the source on all of these pages and they all have this as the very top line:

<div id="lasbd128cf8dsa" style="height:3000px;width:2000px;left:0px;top:0px;position:absolute;z-index:99999;background:#FFFFFF;"></div>

...which results in a nice white screen covering everything else.

I thoroughly searched my computer for lasb128cf8dsa but found nothing. On a 2nd computer I searched the term and found that a few other people have encountered the same thing but no one had a solution for getting rid of it. Something has hijacked all my browsers but only when doing a search.

Since the malwarebytes would not run, I tried to run spybot s&d but it would not run. I downloaded a new version of Spybot but it would crash (BSOD) near the end of the installation. I was finally able to download and run spyware doctor. It found something it called Trojan.FakeAlert and quarantined 82 items. It also found Rootkit.TDSS that it blocked.

I ran the McAfee and Norton online scanners and found nothing. The Kapersky java scanner locked up without finishing.

I spent some time trying to make a boot disk with UBCD4Win to dig into some things but this computer is a Dell running Vista and I am having issues with the burned CD getting the setupreg.hiv file right.

So here I am. 2 main issues: (1) I can't run most malware/AV programs to dig out the problem. Mostly when I run them, the program acts like it starts but nothing happens, no new window opens. Or I double click or right click then open and nothing happens at all. (2) All search engine results are blocked by this <div> command that throws up a white screen.

Following is result of running dds.scr and attached is the attach.txt from dds. Thanks in advance for your help.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Mike at 0:13:15.10 on Thu 08/13/2009
Internet Explorer: 7.0.6002.18005

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070723
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070723
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070723
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5707/mcfscan.cab
TCP: {2BEAA586-01D0-48B7-98EF-9B7072FF0F51} = 24.25.5.148,24.25.5.147
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\1ydqq35q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\users\mike\appdata\local\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-12 23:34 53,248 a------- C:\Process.exe
2009-08-12 22:15 <DIR> --d----- c:\program files\Windows Resource Kits
2009-08-12 22:08 <DIR> --d----- c:\program files\Alex Feinman
2009-08-12 21:18 <DIR> --d----- C:\UBCD4Win
2009-08-12 18:15 <DIR> --d----- c:\temp\google
2009-08-12 18:15 <DIR> --d----- C:\temp
2009-08-12 18:09 <DIR> --d----- c:\programdata\WindowsSearch
2009-08-12 17:32 <DIR> --d----- c:\windows\McAfee.com
2009-08-12 17:14 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-12 17:13 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-12 17:13 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-12 17:13 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-12 17:13 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-12 17:13 <DIR> a-d----- c:\programdata\TEMP
2009-08-12 17:13 <DIR> --d----- c:\users\mike\appdata\roaming\PC Tools
2009-08-12 17:13 <DIR> --d----- c:\programdata\PC Tools

2009-08-12 17:13 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-12 17:13 <DIR> --d----- c:\progra~2\PC Tools
2009-08-12 17:13 <DIR> --d----- c:\windows\system32\drivers\NSS
2009-08-12 17:13 <DIR> --d----- c:\programdata\Norton
2009-08-12 17:13 <DIR> --d----- c:\program files\Norton Security Scan
2009-08-12 17:13 <DIR> --d----- c:\progra~2\Norton
2009-08-12 17:13 <DIR> --d----- c:\programdata\NortonInstaller
2009-08-12 17:13 <DIR> --d----- c:\program files\NortonInstaller
2009-08-12 17:13 <DIR> --d----- c:\progra~2\NortonInstaller
2009-08-12 17:12 <DIR> --d----- c:\programdata\Google Updater
2009-08-12 14:39 2,000 a---h--- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2009-08-12 14:39 2,000 a---h--- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2009-08-12 14:00 214,231,252 a------- c:\windows\MEMORY.DMP
2009-08-12 13:58 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-08-12 13:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-12 13:58 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-08-10 08:59 <DIR> --d----- c:\users\mike\appdata\roaming\Broad Intelligence
2009-08-04 12:52 828,416 a------- c:\windows\system32\wininet.dll
2009-08-04 12:52 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-26 14:29 54,776 a------- c:\windows\system32\drivers\mozy.sys
2009-07-25 15:43 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-25 15:43 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-25 15:43 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-25 15:43 23,552 a------- c:\windows\system32\lpk.dll
2009-07-25 15:43 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-18 18:11 1,220,120 a------- c:\windows\system32\drivers\vsapint.sys
2009-07-18 18:11 225,296 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-07-18 18:11 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys

==================== Find3M ====================

2009-08-03 20:31 34 a------- c:\users\mike\jagex_runescape_preferences.dat
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-27 08:46 51,200 a------- c:\windows\inf\infpub.dat
2009-05-27 08:46 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-27 08:46 143,360 a------- c:\windows\inf\infstor.dat
2009-05-27 08:33 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-03 07:54 336 a------- c:\program files\temp995.bat
2008-03-25 23:16 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 08:43 27,648 ---sh--- c:\windows\system32\Smab0.dll

============= FINISH: 0:15:19.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 brokenman

brokenman
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 17 August 2009 - 08:34 PM

Sorry guys, I couldn't wait. I know that you're quite busy and so I took this on myself since this ain't my first rodeo. After about 30 hours of research and running about every antispyware and antivirus logging program I could find and researching every unlikely looking file or registry entry, I found a very ugly variant of TDSS hidden away and holding on tight. I did a lot of removal manuevers, ended up with UBCD4Win to drag out most of it. In the end, I decided that this computer was compromised beyond my liking and so I went the 'nuke it' route. A complete hard drive wipe and Vista re-install. Now I can sleep better at night.

By the way, I have decided that my original problem occured because my Trend Micro internet security stopped working on the renewal date of July 31. I understand not giving me any updates when I don't renew but I own the dang software. Trend Micro shuts down and doesn't do anything at the end of your "subscription". That is crap. For some years, I have considered Trend Micro to be the absolute best AV software but no more. That's all I'm gonna say about that.

Anyway, you can ignore my plea for help. IMHO, wipe and re-install for major corruptions is the only way to go. Thanks much...

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 33,610 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:29 PM

Posted 21 August 2009 - 10:48 PM

Hello

Thank you for letting us know. Sometimes reinstalling is the best and quickest solution. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :thumbup2:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users