Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


AV8, whitesmoke, setup.exe in temp folder, stopbadsites.com hijack -logs attatched

  • This topic is locked This topic is locked
2 replies to this topic

#1 ph7ryan


  • Members
  • 141 posts
  • Gender:Male
  • Location:Georgia, USA
  • Local time:08:43 AM

Posted 01 January 2011 - 03:57 PM

Well my brother really screwed up his computer this time... after telling him time and time again, that piracy is not only wrong but stupid as well if you don't know what your doing, he downloaded SOMETHING(s) so his computer and REALLY screwed it up....

Windows Vista was what was infected first, and the symptoms were no internet, freezing up constantly, and bluescreens/instant hard shutoffs... system restore restored, but still didn't solve the problem... I have my an msdn alliance program with microsoft, so I was able to get a windows 7 install dvd for free, legally, and so I just installed that, and let the old windows files and stuff go to windows.old...

freshly installed everything worked great, and I thought it was all over... then a few days later he starts whining about how microsoft office would not install, and that I needed to do it... I put it off for a few weeks, and finally got fed up with his attitude that I decided to take a look... the installing office was the LEAST of his worries... AV8's desktop icon was sitting inches away from my face.... lord almighty.... he claims that it "installed itself" (I don't think it is possible that any trojan downloader could run itself from the windows.old folder without human help, but i never actually finished my A+ certification class in high school, so I can't say so for sure...)

Well, I downloaded malwarebytes' and it removed antivirus8 and whitesmoke (more later) etc, and everything seemed alright again, until I went to go install avg free, and I got a browser hijack for "stopbadsites.com" googled around, and found very limited info, and what I did find was from the past few days, so I'm thinking this is a more recent problem that many others will be facing... anyways, I download avg free, spyware doctor, superantispyware, and spyware terminator from another computer and run searches upon searches, and at first they removed a few things and then they began coming up clean... I still had the browser hijack though... so I run a hijack this scan, and do a quick scan through, and for the most part, everything looks familiar, and the only BHO's are avg, and spywaredoctor. I checked to see if it was running through a proxy, and it was not...

So I was stumped until within the hour, I started getting avg messages claiming that there is a setup.exe in the c:\windows\temp\*series of 4 random letters*\ folder, and it is a trojan horse FakeAV.hmd, and whenever I went to remove it, it wasn't accessible, and when I clicked go to file, it brings me to the my documents folder... I try and manually go to the file, and there is not the *series of 4 random letters* folder... I have just let them accumulate, and after about 15-20 minutes, I have 4 of the same fakeav.hmd threats detected that are not present in my windows temp folder...

I am so confused and I am on another computer, so any help would be awesome...

Thanks a ton! :)

DDS (Ver_10-12-12.02) - NTFSx86
Run by Michael at 15:09:14.13 on Sat 01/01/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3070.1915 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Enabled/Outdated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\AVG\AVG10\avgcsrvx.exe
F:\Virus Scan Tools\Bleeping Computer Log Files\dds.scr

============== Pseudo HJT Report ===============

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\9qcy8vbd.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-12-31 218592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2010-12-30 142592]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 21072]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2011-01-01 19:21:15 -------- d-----w- c:\windows\pss
2010-12-31 19:30:20 -------- d-----w- c:\users\michael\appdata\roaming\SUPERAntiSpyware.com
2010-12-31 19:30:20 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-12-31 19:30:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-31 18:05:47 -------- d-----w- c:\users\michael\appdata\local\Threat Expert
2010-12-31 14:09:35 767952 ----a-w- c:\windows\BDTSupport.dll
2010-12-31 14:09:34 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-12-31 14:09:34 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-12-31 14:09:34 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-12-31 14:07:55 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-12-31 14:07:55 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-12-31 14:07:46 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-12-31 14:07:46 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-12-31 14:07:39 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-31 14:07:33 -------- d-----w- c:\users\michael\appdata\roaming\PC Tools
2010-12-31 14:07:33 -------- d-----w- c:\program files\Spyware Doctor
2010-12-31 14:07:33 -------- d-----w- c:\program files\common files\PC Tools
2010-12-31 14:07:33 -------- d-----w- c:\progra~2\PC Tools
2010-12-31 00:15:10 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-12-31 00:15:09 -------- d-----w- c:\users\michael\appdata\roaming\Spyware Terminator
2010-12-31 00:15:07 -------- d-----w- c:\progra~2\Spyware Terminator
2010-12-31 00:15:06 -------- d-----w- c:\program files\Spyware Terminator
2010-12-30 22:52:40 -------- d--h--w- C:\$AVG
2010-12-30 22:35:55 -------- d-----w- c:\users\michael\appdata\roaming\AVG10
2010-12-30 22:34:50 -------- d--h--w- c:\progra~2\Common Files
2010-12-30 22:33:52 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-30 22:33:52 -------- d-----w- c:\progra~2\AVG10
2010-12-30 22:32:55 -------- d-----w- c:\program files\AVG
2010-12-30 21:53:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-30 21:53:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-30 21:14:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-30 21:10:09 -------- d-----w- c:\users\michael\appdata\roaming\Malwarebytes
2010-12-30 21:10:01 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-30 20:48:06 -------- d-----w- c:\progra~2\MFAData
2010-12-22 23:40:15 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-12-22 23:17:30 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-22 23:17:30 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-22 23:17:30 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-22 23:17:30 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-22 23:17:30 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-22 15:05:57 -------- d-----w- c:\users\michael\appdata\roaming\Doecu
2010-12-22 15:05:57 -------- d-----w- c:\users\michael\appdata\roaming\Axhaq
2010-12-22 14:14:41 81410 ----a-w- c:\progra~2\g0bl07OX.exe_
2010-12-22 01:35:45 -------- d-----w- C:\b2f94081103a6ffe5d116d
2010-12-22 01:34:42 -------- d-----w- C:\baa41c4f6d41675f04f732
2010-12-22 01:28:00 -------- d-----w- c:\windows\system32\Wat
2010-12-21 15:48:38 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2010-12-21 15:48:38 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-12-21 15:28:48 584296 ----a-w- c:\windows\system32\nvuninst.exe
2010-12-21 15:20:49 -------- d-----w- c:\users\michael\appdata\local\Microsoft Help
2010-12-21 15:15:00 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-12-21 15:15:00 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-12-21 05:20:17 -------- d-----w- c:\users\michael\appdata\local\Apple Computer
2010-12-21 05:20:03 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-21 05:20:03 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-12-21 05:19:30 -------- d-----w- c:\program files\iPod
2010-12-21 05:19:29 -------- d-----w- c:\program files\iTunes
2010-12-21 05:19:29 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-21 05:17:48 -------- d-----w- c:\program files\Bonjour
2010-12-21 05:17:01 -------- d-sh--w- c:\windows\Installer
2010-12-21 04:47:03 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-12-21 04:46:26 -------- d-----w- c:\users\michael\appdata\local\Diagnostics
2010-12-21 04:40:14 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{46e6f68d-5fcb-45a1-a6e3-bfc2a6085215}\mpengine.dll
2010-12-21 04:40:12 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-21 04:38:59 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-12-21 04:38:31 132608 ----a-w- c:\windows\system32\cabview.dll
2010-12-20 23:14:20 -------- d-----w- c:\windows\Panther
2010-12-20 23:03:58 -------- d-----w- C:\Windows.old
2010-12-20 20:46:58 -------- d-----w- c:\windows\system32\wbem\Performance
2010-12-19 04:13:54 -------- d-sh--w- C:\found.002
2010-12-19 03:26:31 -------- d-sh--w- C:\found.001
2010-12-08 09:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-10-07 17:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 17:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: WDC_WD3200BEVT-60ZCT0 rev.11.01A11 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x861B8735]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x861be990]; MOV EAX, [0x861bea0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82840458] -> \Device\Harddisk0\DR0[0x8619D538]
3 CLASSPNP[0x833AA59E] -> ntkrnlpa!IofCallDriver[0x82840458] -> [0x8619DE40]
5 PCTCore[0x8320DEAE] -> ntkrnlpa!IofCallDriver[0x82840458] -> \IdeDeviceP2T0L0-4[0x85338908]
\Driver\atapi[0x861A2410] -> IRP_MJ_CREATE -> 0x861B8735
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-4 -> \??\IDE#DiskWDC_WD3200BEVT-60ZCT0___________________11.01A11#5&284743e5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 625142446 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 15:10:46.29 ===============

Attached Files

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,779 posts
  • Gender:Female
  • Location:At home
  • Local time:02:43 PM

Posted 07 January 2011 - 03:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 myrti



  • Malware Study Hall Admin
  • 33,779 posts
  • Gender:Female
  • Location:At home
  • Local time:02:43 PM

Posted 16 January 2011 - 09:23 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users