Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google hijacks, ie errors, and more


  • This topic is locked This topic is locked
3 replies to this topic

#1 blackirish

blackirish

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 04 January 2010 - 06:50 PM

Anyhelp is appriciated, i was able to isloate the program that kept launching "Malware Defense" pop-ups. However, i keep getting IE error messages and i dont even have ie open. Its really bizarre.


Thanks again...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe

O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 awareremover2009.com
O1 - Hosts: 91.212.127.227 www.awareremover2009.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [settdebugx.exe] C:\DOCUME~1\Patrick\LOCALS~1\Temp\settdebugx.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 3805 bytes

BC AdBot (Login to Remove)

 


#2 blackirish

blackirish
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 08 January 2010 - 02:38 AM

Google redirects from firefox
IE Pop-ups when i don't have IE running
Rebooting problems
Anti-Malware won't run
Ad-ware is the only spyware program i can run, but it doesnt find anything.

Help Is Appreciated. Thanks!

*update*
now getting a cannot find "logon.exe" error
as well as a "bodalene.dll"
Having lots of startup issues, usually takes about three or four tries to get windows to restart.

DDS and RootRepeal Logs:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Patrick at 1:30:16.54 on Fri 01/08/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1504 [GMT -6:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Patrick\Desktop\downloads\dds.scr
C:\WINDOWS\system32\rundll32.exe

============== Pseudo HJT Report ===============

mWinlogon: Shell=Explorer.exe logon.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [settdebugx.exe] c:\docume~1\patrick\locals~1\temp\settdebugx.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\1.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [zagajirev] Rundll32.exe "c:\windows\system32\bodalene.dll",a
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: wigenupa.dll c:\windows\system32\bodalene.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: bedoziwom - {972eb64e-d5f4-4635-9e05-5168b62f6baa} - c:\windows\system32\bodalene.dll
STS: mujuzedij: {972eb64e-d5f4-4635-9e05-5168b62f6baa} - c:\windows\system32\bodalene.dll
LSA: Notification Packages = scecli pwdmon putevama.dll
Hosts: 91.212.127.227 awareremover2009.com
Hosts: 91.212.127.227 www.awareremover2009.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\patrick\applic~1\mozilla\firefox\profiles\q827ekdl.default\
FF - prefs.js: browser.startup.homepage - hxxp://streak.espn.go.com/|http://www.facebook.com/home.php
FF - component: c:\documents and settings\patrick\application data\mozilla\firefox\profiles\q827ekdl.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\documents and settings\patrick\application data\mozilla\firefox\profiles\q827ekdl.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-3 64288]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-2 53248]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2002-2-20 72576]

=============== Created Last 30 ================

2010-01-04 06:37:53 0 d-----w- c:\program files\Trend Micro
2010-01-04 05:47:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-04 04:43:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-04 04:35:26 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-04 04:35:12 0 d-----w- c:\program files\Lavasoft
2010-01-04 02:53:15 0 d-----w- c:\docume~1\patrick\applic~1\QuickScan
2010-01-04 01:13:28 0 d-s---w- c:\documents and settings\patrick\UserData
2010-01-04 00:11:19 178176 ----a-w- c:\windows\system32\unrar.dll
2010-01-04 00:11:18 0 d-----w- c:\program files\K-Lite Codec Pack
2010-01-04 00:03:46 857 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-04 00:02:29 202 ----a-w- c:\windows\system32\srcr.dat

==================== Find3M ====================

2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-27 11:06:22 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00:55 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:53:29 266752 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 69632 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54:17 112128 ------w- c:\windows\system32\dllcache\rastls.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\bodalene.dll
1601-01-01 00:03:52 51200 --sha-w- c:\windows\system32\putevama.dll
1601-01-01 00:03:52 51200 --sha-w- c:\windows\system32\wigenupa.dll
1601-01-01 00:03:52 51200 --sha-w- c:\windows\system32\zevihami.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\zitotela.dll

============= FINISH: 1:31:51.76 ===============





ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/08 01:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: H8SRTuqxuxotjww.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTuqxuxotjww.sys
Address: 0xA95F1000 Size: 118784 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8471000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\H8SRTmbgfuwvhwf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTmjniwthxnk.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRToparssrnge.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTusmbprabje.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT33ad.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT490a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRT8ad2.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\H8SRTae68.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\Perflib_Perfdata_d68.dat
Status: Invisible to the Windows API!

Path: c:\documents and settings\localservice\ntuser.dat
Status: Size mismatch (API: 262144, Raw: 229376)

Path: c:\documents and settings\networkservice\ntuser.dat
Status: Size mismatch (API: 262144, Raw: 229376)

Path: C:\WINDOWS\system32\drivers\H8SRTuqxuxotjww.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\security\logs\convert.log
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Patrick\Local Settings\Temp\H8SRT1a46.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Patrick\Local Settings\Temp\h8srtmainqt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GHY309IV\google[1]
Status: Invisible to the Windows API!

Path: c:\documents and settings\patrick\local settings\application data\mozilla\firefox\profiles\q827ekdl.default\cache\_cache_001_
Status: Size mismatch (API: 249505, Raw: 227383)

Path: c:\documents and settings\patrick\local settings\application data\mozilla\firefox\profiles\q827ekdl.default\cache\_cache_002_
Status: Size mismatch (API: 274949, Raw: 180330)

Path: c:\documents and settings\patrick\local settings\application data\mozilla\firefox\profiles\q827ekdl.default\cache\_cache_003_
Status: Size mismatch (API: 497145, Raw: 484991)

Path: C:\Documents and Settings\Patrick\Local Settings\Application Data\Mozilla\Firefox\Profiles\q827ekdl.default\Cache\9584C7D7d01
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRToparssrnge.dll]
Process: svchost.exe (PID: 936) Address: 0x00990000 Size: 69632

Object: Hidden Module [Name: H8SRTusmbprabje.dll]
Process: svchost.exe (PID: 936) Address: 0x00c20000 Size: 65536

Object: Hidden Module [Name: H8SRTmbgfuwvhwf.dll]
Process: firefox.exe (PID: 1092) Address: 0x015d0000 Size: 151552

Object: Hidden Module [Name: H8SRTmbgfuwvhwf.dll]
Process: Iexplore.exe (PID: 3268) Address: 0x01220000 Size: 151552

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTuqxuxotjww.sys

==EOF==



Thanks!

Attached Files


Edited by Orange Blossom, 08 January 2010 - 03:24 PM.
Merged topics. ~ OB


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:22 PM

Posted 09 January 2010 - 09:51 AM

Hi,

uTorrent
Soulseek


Both above listed are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:22 PM

Posted 16 January 2010 - 06:41 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users