Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I do not know what I am infected with

  • This topic is locked This topic is locked
2 replies to this topic

#1 lorensfish


  • Members
  • 11 posts
  • Local time:10:36 AM

Posted 14 July 2009 - 12:45 PM

H- I have been working with Rigel who has turned me over to you guys assuring me that I will be in good hands.

The main symptom is that I get redirected to ad pages from the Google search page instead of going to the actual link that I clicked on. I also find that my computer gets locked up after using it for a short while and I have to reboot. When I try to end a program sometimes I get a message that the program is not responding.
Please read on and check my original topic.

This is my original topic from 7/11 in the "Am I infected? What do I do?" forum

I am at my wits end.

I have an HP pavillion notebook
Windows XP Media Edition Service Pak 3
Mozilla Firefox 3.0
Internet Explorer 7 (I keep to work in quicken)
Spyware Doctor 6, Malwarebytes, Ad Aware Aniversery Edition, Hijack This, and recently added Avira.

I have been trying to fix this problem for the past several days. The first time I saw this problem was a couple months ago, I downloaded Malwarebytes, ran it and the problem appeared to have gone away just like that!!Well its back and its much worse. The first signs were that my internet seem to get sluggish and at some points stuck. Then Spy Dr Intelliguard started giving me several alerts about malicious or bad files trying to start which I blocked as recommended. I did a scan with Spy Dr and it found nothing. Then I started getting an alert regarding trojan.tdsserv and no matter if I blocked it or quarantined it, the alert continued. I tried to run Malwarebytes and it would not open. I found and downloaded Avira and did a scan, which found and removed several items (see log below). Rebooted computer, Malwalbytes now worked, ran it and ir found nothing - however, the alert for trojan.tdsserv continued with Spy Dr. I uninstalled and reinstalled Spy Dr. and the alert has not reappeared. I am still having internet issues - I now cannot search on google (the page just gets stuck) and before that links clicked on from google were being redirect to ad pages. Avira has also alerted me to HEUR/HTML.Malware which I have quarantined.

So in order to get you up to speed to go to my original topic. http://www.bleepingcomputer.com/forums/t/240701/hidden-objects-in-registryredirecting-from-google-search/

"Hidden objects in registry/redirecting from google"

Since this time I have been backing up my files and when I tried to back up my Outlook 2007 it froze up and now it will open but it freezes up and I can't do anything on it. Also the mouse arrow will not show when passing over the outlook screen. I ran the repair for microsoft office, however it did not help.

Here is the DDS log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Cindy J at 10:05:08.21 on Tue 07/14/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1356 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\1st Clock\1stClock.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Cindy J\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/webhp?rls=ig
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyServer =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: UIHost=sevenui.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [DrvIcon] c:\program files\vista drive icon\DrvIcon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\cindyj~1\startm~1\programs\startup\1stclo~1.lnk - c:\program files\1st clock\1stClock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoStrCmpLogical = 00000000
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0C62E22E-5A2E-413F-802A-6135C3ACBBBE} - hxxps://www.fedex.com/downloads/woascab/woas.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} - hxxp://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235706145578
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://olympus.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://olympus.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DC11F230-5717-4C25-BAD7-37B879C19655} - hxxp://wavacindy.myphotoalbum.com/ImageUploader4.cab
TCP: {024972E9-8E0F-47E5-AA0C-C8F45D851479} =,
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cindyj~1\applic~1\mozilla\firefox\profiles\mp6tzcuk.default\
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - component: c:\documents and settings\cindy j\application data\mozilla\firefox\profiles\mp6tzcuk.default\extensions\{7e7165e2-0767-448c-852f-5fa8714f2c37}\components\PlainOldFavorites.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-23 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-10 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-7-10 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-7-10 39200]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-10 11608]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-7-10 159600]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2009-7-10 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-10 185089]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2009-7-10 434945]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-10 55640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 gupdate1c98b9c2077e17a;gupdate1c98b9c2077e17a;"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 AdobeActiveFileMonitor;AdobeActiveFileMonitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1005904]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-7-10 64392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-10 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-10 1095560]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-7-10 33056]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S4 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

=============== Created Last 30 ================

2009-07-13 17:11 --d----- c:\program files\Cobian Backup 8
2009-07-12 09:55 --d----- c:\program files\common files\eSellerate
2009-07-12 08:52 --d----- c:\docume~1\alluse~1\applic~1\WEBREG
2009-07-12 08:50 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2009-07-12 08:50 49,920 a----r-- c:\windows\system32\drivers\HPZid412.sys
2009-07-12 08:49 364,544 a----r-- c:\windows\system32\hppldcoi.dll
2009-07-12 08:49 309,760 a----r-- c:\windows\system32\difxapi.dll
2009-07-12 08:49 21,568 a----r-- c:\windows\system32\drivers\HPZius12.sys
2009-07-10 17:38 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-07-10 17:38 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-07-10 17:38 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-07-10 17:38 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-07-10 17:19 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-10 17:19 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-10 17:19 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-10 17:19 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-10 17:19 --d----- c:\program files\common files\PC Tools
2009-07-10 17:19 --d----- c:\program files\Spyware Doctor
2009-07-10 17:19 --d----- c:\docume~1\cindyj~1\applic~1\PC Tools
2009-07-10 14:36 --d----- c:\docume~1\cindyj~1\applic~1\Avira
2009-07-10 14:22 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 14:22 --d----- c:\program files\Avira
2009-07-10 14:22 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-09 09:13 --d----- c:\docume~1\cindyj~1\applic~1\Messenger
2009-07-09 09:13 --d----- c:\docume~1\cindyj~1\applic~1\pridl
2009-06-14 11:08 --d----- c:\program files\FastPictureViewer

==================== Find3M ====================

2009-07-12 08:52 144,078 a------- c:\windows\hpoins16.dat
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-06 12:00 1,970 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-04-25 03:12 348,161 a------- c:\windows\system32\viwc.exe
2009-03-27 11:04 302 a------- c:\program files\temp995.bat
2008-12-27 12:56 1,516 a------- c:\docume~1\cindyj~1\applic~1\wklnhst.dat
2007-12-27 11:45 22 a--sh--- c:\windows\sminst\HPCD.sys
2007-05-04 18:16 12,208 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-31 18:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033120090401\index.dat

============= FINISH: 10:06:43.70 ===============

Attached Files

Edited by lorensfish, 14 July 2009 - 01:00 PM.

BC AdBot (Login to Remove)



#2 lorensfish

  • Topic Starter

  • Members
  • 11 posts
  • Local time:10:36 AM

Posted 20 July 2009 - 09:07 PM

Hello -

I have decided to hand my laptop over to the person (PC Tech) who just fixed my husband's desktop (the intitial spreader of the "ITD"). Basically we ended up having to wipe it completly clean. My computer being in a much bigger fix I decided to just give in and pay the price.

I think you guys are great for taking the time to help so many people and I really wish I could have waited it out.

Thank you so much for all the help so far....... :thumbup2:


PS - the hubby's computer came back in great shape - like new!!

Edited by lorensfish, 20 July 2009 - 09:10 PM.

#3 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:36 PM

Posted 22 July 2009 - 09:18 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users