Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacking svchost high cpu blocked update ms


  • This topic is locked This topic is locked
6 replies to this topic

#1 AlanMac5

AlanMac5

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 11 October 2010 - 12:32 PM

Infected WinXP Home system. Browser hijacking, especially with redirect of search results via IE 7 and Foxfire. This seems to be running through svchost.exe, showing high cpu and high memory usage.
My exposure appears to be from 9/21 or 9/22. My virus security software was able to detect and clean several items following within a day of a windows update. The cleaned up items included ExploitPDF-JSGen, Gen:Malware.Heur.bq0@bGet9rhi, Gen:Trojan,Heur.FU.fqW@aKr7ZDd, and Gen:Trojan.Heur.LP.dy4@aWcgUHiG. My Security Shield AV software crashed and lost the rest of the logs. It cannot detect anything else related to current ongoing infection. MS Onecare live was also unable to detect any issues. Windows update site and others seem to be blocked.


DDS (Ver_10-10-10.03) - NTFSx86
Run by Alan at 11:46:21.67 on Mon 10/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1397 [GMT -5:00]

AV: Security Shield 2009 Antivirus *On-access scanning enabled* (Updated)

{6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Security Shield 2009 Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\CTRegRun.EXE
C:\Program Files\Creative\Product Registration\English\InetReg.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Alan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
TB: Security Shield 2009 Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program

files\pcsecurityshield\bitdefender 2009\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common

files\ahead\lib\NMBgMonitor.exe"
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [CTRegRun] c:\windows\CTRegRun.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BDAgent] "c:\program files\pcsecurityshield\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\pcsecurityshield\bitdefender

2009\IEShow.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program

files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk -

c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: clanmacnicol.org\www
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {705EC6D4-B138-4079-A307-EF13E40C2416} -

hxxps://ussccsecvpn01.hds.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} - hxxp://64.107.106.116/inc/imgearv1.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://www.driveragent.com/files/driveragent.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program

files\hp\hpcoretech\comp\hpuiprot.dll
Hosts: 192.168.15.150 HP001E0BFED1EC

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alan\applic~1\mozilla\firefox\profiles\3hamuw1w.default\

============= SERVICES / DRIVERS ===============

R2 BDVEDISK;BDVEDISK;c:\program files\pcsecurityshield\bitdefender 2009\BDVEDISK.sys [2008-9-4

82440]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys

[2008-10-17 104328]
S3 Arrakis3;PCSecurityShield Arrakis Server;c:\program files\common files\bitdefender\bitdefender

arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe

[2010-3-13 135664]

=============== Created Last 30 ================

2010-10-01 19:18:33 -------- d-----w- c:\windows\pss
2010-09-22 03:28:16 -------- d-----w- C:\moms music
2010-09-14 22:34:32 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2010-09-14 22:34:30 293376 -c----w- c:\windows\system32\dllcache\winsrv.dll
2010-09-14 22:34:20 406016 -c----w- c:\windows\system32\dllcache\usp10.dll

==================== Find3M ====================

2010-10-11 16:33:31 81984 ----a-w- c:\windows\system32\bdod.bin
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 11:49:03.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:27 AM

Posted 18 October 2010 - 10:48 AM

Hello AlanMac5,



Sorry for the delay. sad.gif If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 AlanMac5

AlanMac5
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 18 October 2010 - 09:36 PM

Thanks tea,
A new DDS.txt is attached here on 10/18.
Thanks,
Alan

Attached Files

  • Attached File  DDS.txt   5.94KB   1 downloads


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:27 AM

Posted 18 October 2010 - 09:43 PM

Hi Alan,

From what is "lacking" in that log, and your description of the problem, let's do this first and see if it's the problem:

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 AlanMac5

AlanMac5
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 20 October 2010 - 12:36 PM

Tea,
It looks like the TDSSKiller rootkit remover has found and cured an issue in ftdisk.sys. My initial testing is showing up clean; no more browser redirects. I had been watching netstat and saw hundreds of connections being established while I was infected, now there are none. After rebooting I ran a second scan with TDSSKiller and it came up clean.
The first TDSS Report is attached.
Thank you,
-Alan

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:27 AM

Posted 20 October 2010 - 12:59 PM

Hi Alan,

You're welcome. :)

Excellent. :thumbup2: Your Adobe is outdated and vulnerable....needs to be updated! If you haven't already, then have a scan with your Bit Defender and let me know how it comes out. It *should* be clear.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:27 AM

Posted 25 October 2010 - 04:20 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users