Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

strange browser re-direct


  • This topic is locked This topic is locked
4 replies to this topic

#1 jpdoc

jpdoc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 26 April 2010 - 10:34 AM

Three days ago my system suddenly seemed to have all services disabled. This was after a weird brower re-direct and an error from Adobe that said something about a "3D parsing error".

I re-enabled the services manually, I ran AVG, SpyBot, Malwarebytes, all with no results. I then found that IE and Firefox were being redirected and at random intervals the browsers would jump to sites identified as malware by AVG.
I've spent three days trying to track it, have re-installed firefox, no progress.

Below is the dds.txt file and attached the Attach.file. When I tried to run GMER I very quickly blue screened. I then ran it in safe mode and it worked but I had to stop it halfway through the file system search as I ran out of time and needed the machine. It seemed to have some results in the registry scan so I've attached the partial file and will run it fully tonight.

Many thanks in advance for any help offered.


DDS (Ver_10-03-17.01) - NTFSx86
Run by paul at 15:39:49.01 on 26/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3455.2379 [GMT 1:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\ProtectTools\Embedded Security Software\SpTna.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe"

Attached Files



BC AdBot (Login to Remove)

 


#2 jpdoc

jpdoc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 26 April 2010 - 10:50 AM

Sorry about the multiple posts of this - when I selected post the browser closed down the link to this forum (part of the problem I guess) and when I re-logged in and checked I found that it seemed to have come up four times! Not my doing, I promise . . . I'll see if I can find a way to get rid of the copies.


EDIT: No worries, I deleted the duplicates ~ Elise

Edited by elise025, 26 April 2010 - 11:09 AM.


#3 jpdoc

jpdoc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 26 April 2010 - 11:40 AM

Thanks Elise.

As a matter of interest I notice they all had a blue broken suitcase icon, as does this thread. Couldn't really find any explanation of this on the site, but there are a lot of places to look so I probably missed it. What does it mean?

#4 jpdoc

jpdoc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 28 April 2010 - 03:30 PM

Just to say not to worry about my problem. In desperation I installed a new XP on a different partition and used my Suse 11.2 linux installation to reconfigure the GRUB bootloader so that the old infected XP was available as a file system (not as a boot partition) then used that to get back most of my data. Aside from Suse crunching the MBR on both XP installations (I have to wonder if that's a "feature" that is sort of on purpose) this worked fine. I had to re-use the winXP installation disk to boot into the recovery console and restore the boot.ini and NTLDR stuff but after that I seem to be good.

And I'd like to say many thanks for all the good work you guys do for people in deep p** with their windows installations - it's really appreciated. And SLOW DEATH to the morons who write the virus/trojans/crap that seems to be everywhere these days!

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:08 PM

Posted 30 April 2010 - 06:47 PM

Hear, hear jpdoc. Sorry I didn't get to you in time smile.gif

---------------------------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users