Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect Rootkit.agent/Gen-TDSS


  • This topic is locked This topic is locked
2 replies to this topic

#1 upnorthswede

upnorthswede

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 16 August 2010 - 10:51 PM

After running many malware scanners and fixes, I still am getting 2 different aggrevating problems.

1st, Opens new window randomly with unrelated web site (IE with Google search output open but not actively using),
2nd, Opens unrealted website when right click a search result into a new tab.

Originally, we were using Firefox for browsing, but removed it to narrow down activities. Just so you know, we did do some housecleaning with HijackThis. Original antivirus was Trend, but removed it in favor of Avast. Trend didn't prevent or identify any problems compared to Avast.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Wealthwood Work at 19:16:23.04 on Mon 08/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.197 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\InterVations\dbsrvnt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\Wealthwood Work\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRunOnce: [RunNarrator] Narrator.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1280694793687
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260015291875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {55E42F76-AAB0-49C9-B0E8-6C6341EEA2A7} = 69.78.96.14 66.174.92.14
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-7-30 218592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-4 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-4 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-4 40384]
R2 dbsrv;InterVations Database Server;c:\program files\common files\intervations\dbsrvnt.exe [2006-10-19 1199616]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-4 40384]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-4 40384]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2010-6-10 627072]
S4 Asaites;Asaites; [x]
S4 Neiduosa;Neiduosa; [x]
S4 qitlng;qitlng;c:\windows\system32\drivers\cdbvvsut.sys --> c:\windows\system32\drivers\cdbvvsut.sys [?]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-7-30 366840]
S4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-7-30 1142224]

=============== Created Last 30 ================

2010-08-17 00:13:07 0 ----a-w- c:\documents and settings\wealthwood work\defogger_reenable
2010-08-17 00:12:37 50477 ----a-w- c:\temp\Defogger.exe
2010-08-12 18:22:23 0 d-----w- c:\program files\Full Tilt Poker
2010-08-12 18:22:04 20985410 ----a-w- c:\temp\FullTiltSetup.exe
2010-08-12 08:03:18 174 ----a-w- c:\windows\system32\MRT.INI
2010-08-05 22:29:01 0 d-----w- c:\temp\backups
2010-08-05 13:44:26 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-04 12:42:00 38848 ----a-w- c:\windows\avastSS.scr
2010-08-04 03:00:49 14336 ----a-w- c:\windows\system32\svchost.exe
2010-08-04 03:00:49 14336 ----a-w- c:\windows\system32\dllcache\svchost.exe
2010-08-03 23:04:53 0 d--h--w- c:\windows\PIF
2010-08-03 17:40:00 0 d--h--w- c:\windows\system32\GroupPolicy
2010-08-02 21:32:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-02 20:59:07 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-02 20:56:15 128750008 ----a-w- c:\temp\Ad-AwareInstall.exe
2010-08-02 13:39:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-02 13:35:38 16409960 ----a-w- c:\temp\spybotsd162.exe
2010-08-02 06:03:03 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-02 05:22:48 50688 ----a-w- c:\temp\ATF-Cleaner.exe
2010-08-01 19:49:40 0 dc-h--w- c:\windows\ie8
2010-08-01 01:32:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-08-01 00:09:27 54835272 ----a-w- c:\temp\setup_av_free.exe
2010-08-01 00:08:30 2133536 ----a-w- c:\temp\avg_free_stb_all_9_115_cnet.exe
2010-07-31 23:27:34 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-31 15:56:09 125056 ----a-w- c:\windows\system32\drivers\hrncptug.sys
2010-07-31 13:15:26 0 d-----w- c:\windows\system32\MpEngineStore
2010-07-31 13:09:40 11508680 ----a-w- c:\temp\windows-kb890830-v3.9.exe
2010-07-30 22:10:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-30 20:46:20 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-07-30 20:46:14 0 d-----w- c:\program files\Security Task Manager
2010-07-30 20:43:19 1709408 ----a-w- c:\temp\taskmanager17.exe
2010-07-30 20:40:29 378240 ----a-w- c:\temp\SvchostAnalyzer.exe
2010-07-30 18:04:44 3250 ----a-w- c:\windows\system32\wbem\Outlook_01cb3011afedf158.mof
2010-07-30 13:46:16 0 d-----w- c:\docume~1\wealth~1\applic~1\Malwarebytes
2010-07-30 13:46:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-30 13:46:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-30 13:46:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-30 13:46:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 13:40:15 6153352 ----a-w- c:\temp\mbam-setup-1.46.exe
2010-07-30 05:15:01 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-07-30 05:15:00 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-07-30 05:14:52 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-30 05:14:52 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-07-30 05:14:52 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-07-30 05:14:52 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-30 05:14:48 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-07-30 05:14:48 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-30 05:14:41 0 d-----w- c:\docume~1\wealth~1\applic~1\PC Tools
2010-07-30 05:14:41 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-07-30 04:58:38 36598544 ----a-w- c:\temp\sdsetup.exe
2010-07-30 04:00:38 552 ----a-w- c:\windows\system32\d3d8caps.dat

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 22:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-05-31 18:01:40 78848 ----a-w- c:\windows\system32\inloader.dll
2010-05-31 18:01:40 14160 ----a-w- c:\windows\system32\hlinkprx.dll
2010-05-31 18:01:32 27136 ----a-w- c:\windows\system32\pubdlg.dll
2010-05-31 18:01:32 12288 ----a-w- c:\windows\system32\picstore.dll
2010-05-31 18:01:29 94282 -c--a-w- c:\windows\system32\msencode.dll
2010-05-31 18:01:28 161552 ----a-w- c:\windows\system32\asycpict.dll
2007-05-14 22:12:35 88 -csh--r- c:\windows\system32\3F73DFC6EA.sys
2008-12-09 21:08:08 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-24 16:04:54 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat

============= FINISH: 19:17:25.56 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 upnorthswede

upnorthswede
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 19 August 2010 - 08:49 PM

This thread can be closed. Problem resolved using Hitman Pro, TdsKiller, ComboFix, Mbam, and Eset. Hitman and Tdskiller found and fixed two issues.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 19 August 2010 - 09:48 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users