Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google misdirects and Rootkit.TDSS - help!

  • This topic is locked This topic is locked
2 replies to this topic

#1 gouzel


  • Members
  • 2 posts
  • Local time:11:49 PM

Posted 30 October 2009 - 06:43 PM


I apologize if I'm doing this incorrectly....I tried to read the appropriate posts!

I'm running Windows XP Home Edition on a Dell Vostro laptop. The computer is crucial for my work.

Earlier today I began to experience misdirects from Google in Firefox - clicking on links often sent me to an advertisement, usually one related to my search. Sometimes clicks sent me to results from a different, obscure search engine (there were a variety of these). The problem also occurred with Internet Explorer. This seemed like a bad sign.

I have MalwareBytes Anti-Malware installed, so I ran a quick scan.

4 infected files and 1 infected registry key were found, and the results mentioned rootkit.tdss

The Malwarebytes log is below, below the DDS report. After attempting to fix the problems through Malwarebytes, I rebooted as instructed. Unfortunately, I was still experiencing Google misdirects. I ran the Malwarebytes quick scan again, and it found nothing. At some point in this process I tried clearing my search history and cookies in Firefox.

I then downloaded Hijack this and ran it and started reading about Rootkit.tdss. It all sounded complicated and difficult. Uh-oh.

Finally I made a post here, but followed the wrong protocol. I hope I'm doing it correctly now. The DDS report is below, and the attach.txt is attached.

Right now, the computer seems to be working reasonably well, but I am worried things will get worse. I'm even afraid to reboot!

Any suggestions?

Thanks so much...

DDS (Ver_09-10-26.01) - NTFSx86
Run by mockingbird at 19:28:43.68 on Fri 10/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.164 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\SBLive 24-Bit External\Entertainment Center\EAXLoadr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\help me\mbam.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\mockingbird\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.vtcommonsschool.org/TSWeb/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070908
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RCSystem] "c:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [EPSON_UD_START] "c:\program files\epson projector\epson usb display v1.4\EMP_UD.exe" -UDCONNECT
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\help me\mbam.exe" /runcleanupscript
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228961226265
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://mail.vtcommonsschool.org/TSWeb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mockin~1\applic~1\mozilla\firefox\profiles\pvrbgl7p.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\mockingbird\application data\mozilla\firefox\profiles\pvrbgl7p.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071300000040.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-20 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 EMP_UDSA;EMP_UDSA;c:\program files\epson projector\epson usb display v1.4\EMP_UDSA.exe [2009-5-5 94208]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [2009-5-5 17664]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-20 38224]
S3 CEUSBAUD;Lambda MIDI Device;c:\windows\system32\drivers\ceusbaud.sys [2003-11-1 17920]
S3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [2001-11-27 10880]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2005-6-9 1694592]

=============== Created Last 30 ================

2009-10-30 20:26:59 0 d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2009-10-30 12:40:27 181231 ----a-w- c:\windows\system32\nvModes.dat
2009-10-12 18:56:03 3582 ----a-w- c:\docume~1\mockin~1\applic~1\wklnhst.dat
2009-09-25 05:49:02 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:49:02 668672 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:49:02 628224 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:49:02 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-09-25 05:49:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:49:01 532480 ------w- c:\windows\system32\dllcache\mstime.dll
2009-09-25 05:49:01 449024 ------w- c:\windows\system32\dllcache\mshtmled.dll
2009-09-25 05:49:01 39424 ------w- c:\windows\system32\dllcache\pngfilt.dll
2009-09-25 05:49:01 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 05:49:01 146432 ------w- c:\windows\system32\dllcache\msrating.dll
2009-09-25 05:48:59 96256 ------w- c:\windows\system32\dllcache\inseng.dll
2009-09-25 05:48:59 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:48:59 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-25 05:48:59 55808 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-09-25 05:48:59 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-09-25 05:48:59 16384 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-09-25 05:48:58 357888 ------w- c:\windows\system32\dllcache\dxtmsft.dll
2009-09-25 05:48:58 205312 ------w- c:\windows\system32\dllcache\dxtrans.dll
2009-09-25 05:48:58 151040 ------w- c:\windows\system32\dllcache\cdfview.dll
2009-09-25 05:48:58 1054208 ------w- c:\windows\system32\dllcache\danim.dll
2009-09-25 05:48:57 1024000 ------w- c:\windows\system32\dllcache\browseui.dll
2009-09-18 09:46:06 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:03:37 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-21 09:46:35 450560 ------w- c:\windows\system32\dllcache\jscript.dll
2009-08-06 23:24:18 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 23:24:18 209632 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 23:24:10 35552 ----a-w- c:\windows\system32\dllcache\wups.dll
2009-08-06 23:24:06 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 23:24:04 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-08-06 23:23:54 575704 ----a-w- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 23:23:46 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:11:47 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 12:51:17 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 12:49:00 2142720 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 12:49:00 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 12:02:00 2062976 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-04 12:02:00 2020864 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 12:02:00 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

============= FINISH: 19:29:50.37 ===============

Attached Files

BC AdBot (Login to Remove)


#2 htv8


  • Members
  • 1,694 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:49 AM

Posted 06 November 2009 - 12:35 PM

Hello gouzel, and welcome to BleepingComputer.com! I will be helping you getting cleaned up. :) We apologize for the delay in responding to your request for help. Here at BleepingComputer.com we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

Please take note of some guidelines for this fix:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Refrain from making any changes to your computer including installing/uninstalling programs, deleting files, modifying the registry, and running extra scanners or fix programs not requested by me: doing so could change the results in the reports I request.
  • The process is not instant: even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean. We do not want to clean you part-way, only to have the system re-infect itself.
  • If you do not understand any step(s) provided, please stop and ask your question(s) before proceeding with the fixes. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If for any reason you cannot complete instructions within that time, that's fine, but please let me know: just post back here so that I know you are still here. This is to ensure that your topic remains open and I don't close it to start a new post.
    NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure. The topics you are tracking can be found here.
  • Please reply to this thread using the Add Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Reviewing your log(s) requires an amount of research, so please be patient. However, if I have not posted back within 24 hours, feel free to send me a Personal Message (PM) with your topic link.

Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

:( Download and run GooredFix:
  • Download GooredFix from one of the locations below and save it to your Desktop.
  • Ensure all Firefox windows are closed.
  • To run the GooredFix tool, double-click GooredFix.exe.
  • When prompted to run the scan, click Yes.GooredFix will check for infections, and then a log will appear.
  • Please post the entire contents of that log in your next reply.
    NOTE: The log can also be found on your Desktop, called GooredFix.txt.
:( Check for rootkits with RootRepeal:

So in your next reply, please post the entire contents of:
  • GooredFix.txt
  • RootRepeal.txt

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8


  • Members
  • 1,694 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:49 AM

Posted 11 November 2009 - 06:01 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users