Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Inducing Popups


  • Please log in to reply
2 replies to this topic

#1 thecrc

thecrc

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 05 April 2010 - 04:42 PM

I have some sort of malware on my XP machine. Ever since it has been infected, Google Chrome wont load any webpages, it just hangs on a loading screen. IE and Firefox will redirect any links clicked on through google to random sites. Any help is appreciated.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris Cunningham at 14:53:15.10 on Mon 04/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.484 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Documents and Settings\Chris Cunningham\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris Cunningham\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\chris cunningham\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\chrisc~1\startm~1\programs\startup\mlbtvn~1.lnk - c:\documents and settings\chris cunningham\local settings\application data\autobahn\mlb-nexdef-autobahn.exe
StartupFolder: c:\docume~1\chrisc~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: iydhhd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrisc~1\applic~1\mozilla\firefox\profiles\n6fwjnhh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\chris cunningham\application data\mozilla\firefox\profiles\n6fwjnhh.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\chris cunningham\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-5 217032]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-5 112592]
R2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacom\x86\novacomd.exe [2010-1-12 33792]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-5 366840]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-6-27 625024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-5-6 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-5-6 3072]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-5 1142224]

=============== Created Last 30 ================

2010-07-02 20:30:36 272128 -c--a-w- c:\windows\system32\dllcache\bthport.sys
2010-07-02 20:30:36 272128 ----a-w- c:\windows\system32\drivers\bthport.sys
2010-07-02 20:29:58 0 d--h--w- c:\windows\$hf_mig$
2010-07-02 20:28:20 0 d-----w- c:\windows\I386
2010-04-05 16:23:00 0 ----a-w- c:\documents and settings\chris cunningham\defogger_reenable
2010-04-05 16:18:33 0 d-----w- c:\program files\Trend Micro
2010-04-05 13:38:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-05 13:38:06 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 13:38:06 0 d-----w- c:\docume~1\chrisc~1\applic~1\SUPERAntiSpyware.com
2010-04-05 06:43:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 06:43:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 06:43:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 06:38:16 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-05 06:17:16 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-05 06:17:15 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-05 06:17:15 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-05 06:17:15 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-05 06:17:15 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-05 06:17:15 131 ----a-w- c:\windows\IDB.zip
2010-04-05 06:17:15 1152444 ----a-w- c:\windows\UDB.zip
2010-04-05 06:17:14 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-05 06:14:36 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-05 06:14:36 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-05 06:14:29 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-05 06:14:29 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-05 06:14:29 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-05 06:14:29 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-05 06:14:14 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-05 06:14:14 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-05 06:13:59 0 d-----w- c:\program files\Spyware Doctor
2010-04-05 06:13:59 0 d-----w- c:\program files\common files\PC Tools
2010-04-05 06:13:59 0 d-----w- c:\docume~1\chrisc~1\applic~1\PC Tools
2010-04-05 06:13:59 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-05 05:16:37 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-05 05:16:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-05 05:05:36 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-05 05:03:36 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-05 04:51:46 0 d-sh--w- C:\RECYCLER(2)
2010-04-05 04:50:28 0 d-s---w- C:\ComboFix(2)
2010-04-05 04:17:32 0 d-----w- C:\cmdcons
2010-04-05 04:04:31 0 d-----w- c:\docume~1\chrisc~1\applic~1\QuickScan
2010-04-04 23:06:51 0 d-----w- c:\documents and settings\chris cunningham\IECompatCache
2010-04-04 23:05:56 0 d-----w- c:\documents and settings\chris cunningham\PrivacIE
2010-04-04 23:03:48 0 d-----w- c:\documents and settings\chris cunningham\IETldCache
2010-04-04 22:56:51 0 d-----w- c:\windows\ie8updates
2010-04-04 22:51:45 0 dc----w- c:\windows\ie8
2010-03-31 04:15:49 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-03-31 04:15:29 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2010-03-31 04:15:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-03-31 04:15:26 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-03-31 04:14:25 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-03-31 04:14:25 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-03-31 04:14:23 0 d-----w- c:\program files\Palm, Inc
2010-03-31 04:00:28 0 d-----w- c:\docume~1\chrisc~1\applic~1\CanuckSoftware
2010-03-31 03:58:48 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2010-03-31 03:58:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet(3).dll
2010-03-11 12:38:54 1168384 ----a-w- c:\windows\system32\urlmon(3).dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet(2).dll
2008-05-07 23:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe

============= FINISH: 14:55:47.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:46 AM

Posted 08 April 2010 - 08:30 PM

Hello thecrc

Welcome to the Bleeping Computer Malware Removal Forum


Looks like you may be infected with the TDSS Rootkit


Extract the file and run it.

Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)

please post the content of that log TDSSKiller









Please download Malwarebytes from Here or Here
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please










mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:46 AM

Posted 13 April 2010 - 05:22 PM


Due to inactivity, this thread will now be closed.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users