Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect - Generic Host Services - Restart


  • This topic is locked This topic is locked
2 replies to this topic

#1 jghiloni

jghiloni

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 11 December 2010 - 10:27 AM

My machine has begun doing the following: pop-up error messages about Generic Host Services for Win32 crashing; browser search redirects in both IE and Chrome; launching IE results in a pop-up asking to go to my home page or restore last session, either choice results in a new IE window with a "You've won a $1000 Walmart Gift Card..." pop-up box (process must be halted in Task Mgr). The computer also has trouble restarting now, often just shutting down the monitor but not the PC. It is very slow to restart after a Shut Down or power-stop.

I have run updated versions of SpyBot Search and Destroy, Trend Micro PC-Cillin, and MBAM. Each has reported (and then corrected) issues, but the problems above persist. I also ran scr /scannow which found no problems.

As instructed here, I have run DDS and GMER.



DDS (Ver_10-12-05.01) - NTFSx86
Run by Jim Ghiloni at 22:13:10.84 on Fri 12/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.1708 [GMT -5:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim Ghiloni\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uWindows: load=?
uWindows: Run=?
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\jim ghiloni\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://webmail.gsa.gov/scoggemssoca01/iNotes6W.cab
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-18 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-8-29 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-11 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-8-29 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-29 280392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-12-11 02:39:38 -------- d-----w- c:\windows\pss
2010-12-10 23:42:04 -------- d-----w- c:\docume~1\jimghi~1\locals~1\applic~1\Temp
2010-12-10 23:42:02 -------- d-----w- c:\docume~1\jimghi~1\locals~1\applic~1\Google
2010-12-10 18:34:10 -------- d-----w- c:\program files\World of Warcraft
2010-12-10 18:34:10 -------- d-----w- c:\program files\common files\Blizzard Entertainment
2010-12-10 18:33:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2010-12-03 13:50:18 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-11-22 15:01:23 -------- d-----w- c:\program files\MSXML 4.0
2010-11-22 01:31:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Age of Empires 3
2010-11-22 01:23:53 -------- d-----w- c:\program files\Microsoft Games
2010-11-21 15:00:44 -------- d-----w- c:\windows\system32\xlive
2010-11-21 15:00:39 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-11-21 14:18:20 -------- d-----w- c:\program files\iPod
2010-11-21 14:18:18 -------- d-----w- c:\program files\iTunes
2010-11-12 20:37:41 -------- d-----w- c:\docume~1\jimghi~1\applic~1\Malwarebytes
2010-11-12 20:37:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-12 20:37:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-12 20:37:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 20:37:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-12 20:17:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-12 20:17:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-11 19:52:33 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-11 19:52:33 215920 ----a-w- c:\windows\system32\muweb.dll
2010-11-11 19:52:33 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2010-10-14 06:36:52 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 06:36:50 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-09-27 21:47:22 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-09-27 21:47:22 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-09-27 21:43:13 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: NVIDIA__ rev. -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A1B1555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a1b77b0]; MOV EAX, [0x8a1b782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A1C0030]
3 CLASSPNP[0xB80F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A197960]
\Driver\nvraid[0x8A2219F8] -> IRP_MJ_CREATE -> 0x8A1B1555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000067 -> \??\SCSI#Disk____NVIDIA__MIRROR___232.88G#1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 22:15:04.53 ===============

Attached Files

  • Attached File  ark.txt   13.88KB   1 downloads
  • Attached File  DDS.txt   9.59KB   0 downloads


BC AdBot (Login to Remove)

 


#2 jghiloni

jghiloni
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 11 December 2010 - 12:01 PM

I have run TDSSKiller, which found a problem and Cured it. At this point, everything seems to be Ok. However, if there is something else I should do, please let me know. If the problem reoccurs, I will re-generate the log files and repost. Thank you to all the people who volunteer their time on this site.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 11 December 2010 - 09:32 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users