Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Browser Hijack/Malware. Google searches redirected. Slow boot up/shut down. Frequent freeze ups. Connection time-outs requiring restarts.

  • This topic is locked This topic is locked
3 replies to this topic

#1 crazz25


  • Members
  • 2 posts
  • Local time:01:37 PM

Posted 13 December 2010 - 06:59 PM

Pretty sure I've some form of Malware/Spyware. I can't seem to get it off, so here I am. It takes a long time to shut down, my start bar theme will change back to default on occasion as well. My browser is being hijacked to a site which claims I've won a Walmart gift card. Also, my Google results are being redirected. If I'm in my browser for long enough, suddenly I won't be able to pull up new websites, everything stops loading, although my computer says I'm still connected to the internet, (says that the server took too long to respond) and a restart is necessary. Please help!

DDS (Ver_10-12-12.02) - NTFSx86
Run by Crazz25 at 16:01:33.23 on Mon 12/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

============== Running Processes ===============

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Crazz25\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\documents and settings\crazz25\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [Windows Host] c:\documents and settings\crazz25\application data\svchost.exe
uRun: [JP595IR86O] c:\docume~1\crazz25\locals~1\temp\Vxt.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [4RBPZMXX4S] c:\windows\Vzorab.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Host] c:\documents and settings\crazz25\application data\svchost.exe
mExplorerRun: [Windows Host] c:\documents and settings\crazz25\application data\svchost.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263171511359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {ECDFFF4B-FDDA-4A4C-B4EB-0CDD5CCBFF1A} - c:\documents and settings\crazz25\application data\svchost.exe
uASetup: {ECDFFF4B-FDDA-4A4C-B4EB-0CDD5CCBFF1A} - c:\documents and settings\crazz25\application data\svchost.exe
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\crazz25\applic~1\mozilla\firefox\profiles\2nld0m0s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mugglenet.com
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\crazz25\local settings\application data\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: Ask Chrome Search Engine: askopensearch-VTS@ask.com - %profile%\extensions\askopensearch-VTS@ask.com
FF - Ext: Aero Fox: {d9b25e30-c1cf-11de-8a39-0800200c9a66} - %profile%\extensions\{d9b25e30-c1cf-11de-8a39-0800200c9a66}
FF - Ext: ErrorZilla Plus: {03651b2d-eb7d-4be7-af1b-dc0cd162dd54} - %profile%\extensions\{03651b2d-eb7d-4be7-af1b-dc0cd162dd54}
FF - Ext: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - %profile%\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R? gupdate;Google Update Service (gupdate)
R? sdAuxService;PC Tools Auxiliary Service
R? sdCoreService;PC Tools Security Service
S? Browser Defender Update Service;Browser Defender Update Service
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
S? Lavasoft Kernexplorer;Lavasoft helper driver
S? Lbd;Lbd
S? PCTCore;PCTools KDS

=============== Created Last 30 ================

2010-12-13 01:36:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-13 00:29:41 -------- d-sh--w- c:\documents and settings\crazz25\PrivacIE
2010-12-13 00:29:25 -------- d-----w- c:\docume~1\crazz25\locals~1\applic~1\AskToolbar
2010-12-13 00:29:14 -------- d-----w- c:\docume~1\crazz25\locals~1\applic~1\Threat Expert
2010-12-13 00:03:07 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-13 00:02:59 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-13 00:00:13 -------- d-----w- c:\docume~1\crazz25\locals~1\applic~1\Sunbelt Software
2010-12-12 23:56:04 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-12 23:54:56 -------- d-----w- c:\program files\Lavasoft
2010-12-12 23:06:10 767952 ----a-w- c:\windows\BDTSupport.dll
2010-12-12 23:06:08 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-12-12 23:06:07 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-12-12 23:06:07 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-12-12 23:01:46 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-12-12 23:01:37 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-12-12 23:01:37 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-12-12 23:01:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-12 23:01:21 -------- d-----w- c:\program files\common files\PC Tools
2010-12-12 23:01:20 -------- d-----w- c:\program files\Spyware Doctor
2010-12-12 23:01:20 -------- d-----w- c:\docume~1\crazz25\applic~1\PC Tools
2010-12-12 23:01:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-12-12 18:59:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-12 18:59:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-12 18:07:41 129536 --sha-r- c:\windows\system32\kbdheptj.dll
2010-12-07 06:06:27 -------- d-----w- c:\program files\PeerGuardian2
2010-12-07 06:06:06 -------- d-----w- c:\docume~1\crazz25\applic~1\FrostWire
2010-12-07 06:05:35 -------- d-----w- c:\program files\Ask.com
2010-12-07 06:05:24 -------- d-----w- c:\program files\FrostWire
2010-12-04 02:30:37 -------- d-----w- c:\program files\Veoh Networks

==================== Find3M ====================

2010-09-25 00:30:20 255352 ----a-w- c:\windows\system32\awrdscdc.ax

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600BEVS-60RST0 rev.04.01G04 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x85F87555]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85f8d7b0]; MOV EAX, [0x85f8d82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x85FEFAB8]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85FAF920]
5 PCTCore[0xF728CEAE] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006b[0x86038A00]
7 ACPI[0xF733E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85FB0D98]
\Driver\atapi[0x85F952E0] -> IRP_MJ_CREATE -> 0x85F87555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD1600BEVS-60RST0___________________04.01G04#5&359c5a6a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85F8739B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 16:03:51.43 ===============

Attached Files

BC AdBot (Login to Remove)


#2 crazz25

  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:37 PM

Posted 19 December 2010 - 10:05 PM

I realize I'm not supposed to bump, but I really need help here, and it has been nearly a week. Please help me, I don't want to reinstall my OS!

#3 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 PM

Posted 22 December 2010 - 09:54 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.


  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:08:37 PM

Posted 27 December 2010 - 08:02 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users