Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware Defense - Google Updater Virus

  • This topic is locked This topic is locked
2 replies to this topic

#1 jonas343


  • Members
  • 22 posts
  • Local time:04:47 AM

Posted 28 December 2009 - 10:28 PM

This somehow downloaded itself onto my computer from a porn website that I "accidentally" visited and now constantly shows me a popup asking me to install "Malware Defense" which makes itself look like windows security center. Also, a strange audio track plays itself every so often, advertising Google Chrome. Very strange. Please help me get rid of this pest.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Joe at 21:47:24.73 on Mon 12/28/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1363 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Compal\Wow Video&Audio\WVAMain.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Joe\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [settdebugx.exe] c:\docume~1\joe\locals~1\temp\settdebugx.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [KTPWare] c:\program files\elantech\ktp.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [WLSS] c:\program files\wireless select switch\WLSS.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Wow Video&Audio] c:\program files\compal\wow video&audio\WVAMain.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
mRun: [DeadAIM] rundll32.exe "c:\progra~1\aim95\\DeadAIM.ocm",ExportedCheckODLs
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\joe\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\joe\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\ievony\Skype4COM.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli psqlpwd
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\m9ja23ay.default\
FF - component: c:\program files\mozilla firefox\components\pbgk1_9.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2008-2-13 9856]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-28 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-28 112592]
S2 gupdate1c9baf928b57b18;Google Update Service (gupdate1c9baf928b57b18);c:\program files\google\update\GoogleUpdate.exe [2009-4-11 133104]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-12 24652]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-28 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-28 1141712]

=============== Created Last 30 ================

2009-12-29 02:04:59 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-29 02:04:58 882 ----a-w- c:\windows\RegSDImport.xml
2009-12-29 02:04:58 880 ----a-w- c:\windows\RegISSImport.xml
2009-12-29 02:04:58 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-29 02:04:58 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-29 02:04:58 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-29 02:04:58 131 ----a-w- c:\windows\IDB.zip
2009-12-29 02:04:58 1152444 ----a-w- c:\windows\UDB.zip
2009-12-29 02:02:31 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-29 02:02:31 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-29 02:02:28 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-29 02:02:28 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-29 02:02:28 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-29 02:02:28 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-29 02:02:20 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-29 02:02:20 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-29 02:02:12 0 d-----w- c:\program files\Spyware Doctor
2009-12-29 02:02:12 0 d-----w- c:\program files\common files\PC Tools
2009-12-29 02:02:12 0 d-----w- c:\docume~1\joe\applic~1\PC Tools
2009-12-29 02:02:12 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-12-29 01:29:24 0 d-----w- c:\program files\Malware Defense
2009-12-29 01:15:58 671 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-29 01:14:57 124 ----a-w- c:\windows\system32\srcr.dat
2009-12-24 05:47:59 0 d-----w- c:\program files\Delta
2009-12-24 04:34:10 0 d-----w- c:\program files\Pcsx2
2009-12-14 01:53:54 0 d-----w- c:\program files\CRS
2009-12-11 05:33:30 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-11 05:33:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-12-20 00:57:44 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-20 00:57:35 189480 ----a-w- c:\windows\system32\PnkBstrB.exe

============= FINISH: 21:48:12.48 ===============

ROOTREPEAL © AD, 2007-2009
Scan Start Time: 2009/12/28 21:58
Program Version: Version
Windows Version: Windows XP SP3

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xAC726000 Size: 815104 File Visible: No Signed: -
Status: -

Name: H8SRThyuruypxws.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRThyuruypxws.sys
Address: 0xB0B91000 Size: 114688 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: PCI_PNP7880
Image Path: \Driver\PCI_PNP7880
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6C92000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spsj.sys
Image Path: spsj.sys
Address: 0xF74D6000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
Path: C:\hiberfil.sys

Attached Files

BC AdBot (Login to Remove)


#2 jonas343

  • Topic Starter

  • Members
  • 22 posts
  • Local time:04:47 AM

Posted 29 December 2009 - 03:51 AM

Problem resolved, used your uninstall guide, somehow i missed it before. Took 2 computers though, this thing is nasty.

Rkill did the job perfectly, thanks for that.

This seems to be a different version than the one you describe in the guide. It definitely uses IE, however it got installed through firefox w spybot teatimer running, which I thought was supposed to close IE's security holes. This version redirected all my attempts to search other websites, but only after forcing my computer to restart. The proxy fix didnt apply, the boxes were unchecked when I looked under IE's connection settings.

I do have one question though. This virus, or whatever it is, seemed rather "smart" in its ability to prevent me from removing it and also the random audio I would hear, which I know came through IE, requiring an internet connection. Is it possible that while I was connected to the internet it logged any of my email passwords? I want to be sure in case I need to change them.

Thanks again, you guys have helped me before, and sorry for the post before I found a way to fix it on my own. I only really need an answer to my question, but it is very low priority, answer any time you get around to it.

I really appreciate the work you guys do.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,801 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:47 AM

Posted 29 December 2009 - 08:06 PM


Thank you for posting back. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users