Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden rootkit in driver/google redirect


  • This topic is locked This topic is locked
2 replies to this topic

#1 MBrower72

MBrower72

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 22 July 2010 - 01:14 AM

I noticed something was wrong when my taskbar, which is normally Windows Media Center style, turned into windows classic, I then clicked on a link on google, and watched the URL bar scan through about 3-5 urls finally landing on some spam site.

I ran malware bytes, nothing.
I ran AVG, nothing.
I ran Hitman Pro 3.5.6, it found some things, removed them but also clearly said "Possible variant of the TLD3 (alias Alureon) rootkit detected. The device stack of the hard disk is referencing a hidden driver. This could affect the detection of malicious files.

Problem still here, I've googled and searched for so many other anti rootkit programs, tdsskiller (which I thought would work, did not), and can't figure out how to remove this, I consider myself computer savvy, and normally never need to ask for help with a virus or problem, normally I'm the one people come to for such a thing, but in this case I'm stumped.

Thank you for taking the time to read this, and hopefully one of you can help me in this situation.

It's not letting me c/p my dds log, or upload it keeps saying the webpage is not available, it's not even letting me upload this to a file hosting site, lol could this be the virus stopping me?

Edit: Was able to post this from my work computer. Below is my DDS log.

I was told to post these logs here by Boopme.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 1:32:28.65 on Thu 07/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1260 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\program files\steam\steam.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Mike\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [Google Update] "c:\documents and settings\mike\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [BitComet] "c:\program files\bitcomet\BitComet.exe" /tray
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [cdloader] "c:\documents and settings\mike\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\documents and settings\mike\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\mike\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257096655953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\ue040vms.default\
FF - plugin: c:\documents and settings\mike\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-4 25168]
R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-7-20 35816]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-2 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-2 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-2 243024]
R1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [2010-7-7 11392]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-22 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-22 2331032]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-1-4 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-4 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-4 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-4 26192]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-1-4 30104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16.tmp --> c:\windows\system32\16.tmp [?]
S3 mobiolavs;Mobiola Web Camera Video Source;c:\windows\system32\drivers\mobiolavs.sys [2009-11-18 16512]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-7-20 24416]
S3 SQTECH930B;USB 2.0 Webcam;c:\windows\system32\drivers\capt930b.sys --> c:\windows\system32\drivers\Capt930b.sys [?]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]

=============== Created Last 30 ================

2010-07-21 17:21:05 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-07-20 21:20:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 21:20:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 19:36:40 0 d-----w- c:\program files\Sophos
2010-07-20 19:01:43 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-07-20 19:01:16 0 d-----w- c:\program files\HeavenWard
2010-07-20 18:59:57 0 d-sha-r- C:\cmdcons
2010-07-20 18:57:50 2 --shatr- c:\windows\winstart.bat
2010-07-20 18:57:31 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-07-20 18:57:25 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-07-20 18:57:21 0 d-----w- c:\program files\UnHackMe
2010-07-20 18:55:04 98816 ----a-w- c:\windows\sed.exe
2010-07-20 18:55:04 77312 ----a-w- c:\windows\MBR.exe
2010-07-20 18:55:04 256512 ----a-w- c:\windows\PEV.exe
2010-07-20 18:55:04 161792 ----a-w- c:\windows\SWREG.exe
2010-07-20 18:45:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-07-20 18:00:59 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-20 18:00:21 0 d-----w- c:\program files\Hitman Pro 3.5
2010-07-20 17:51:27 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-20 16:50:20 0 d-----w- c:\docume~1\mike\applic~1\SUPERAntiSpyware.com
2010-07-20 16:50:09 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-20 16:01:18 1380 ----a-w- c:\windows\system32\.crusader
2010-07-20 15:52:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-07-20 07:32:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-20 07:22:24 0 d-----w- c:\program files\Trend Micro
2010-07-19 18:58:49 0 d-----w- c:\docume~1\mike\applic~1\Malwarebytes
2010-07-19 18:58:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-19 18:58:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-14 18:47:26 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 18:40:39 0 d-----w- c:\program files\Conduit
2010-07-13 18:40:37 0 d-----w- c:\program files\DVDVideoSoftTB
2010-07-13 18:17:43 0 d-----w- c:\docume~1\mike\applic~1\DVDVideoSoftIEHelpers
2010-07-07 17:13:34 0 d-----w- c:\program files\LimeWire
2010-07-07 09:49:18 11392 ----a-w- c:\windows\system32\drivers\RemoveAny.sys
2010-07-05 12:25:44 0 d-----w- c:\program files\Rosetta Stone
2010-07-05 12:25:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2010-06-22 13:46:37 12536 ----a-w- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2010-07-13 18:27:36 131072 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-06-22 13:46:39 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 13:46:29 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-06-22 13:45:53 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-11 19:31:57 1063320 ----a-w- c:\documents and settings\mike\gotomypc_533.exe
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-11-03 13:36:40 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 1:33:26.30 ===============

Attached Files


Edited by MBrower72, 22 July 2010 - 05:50 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:40 AM

Posted 28 July 2010 - 06:37 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:40 AM

Posted 02 August 2010 - 06:42 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users