Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent TDSS Redirect Virus - Google Keeps Redirecting - Computer Bluescreens and Reboots


  • This topic is locked This topic is locked
2 replies to this topic

#1 ebriel

ebriel

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 23 April 2011 - 01:50 PM

My computer keeps redirected from listings on Google to obvious affilate/garbage sites. This happens about 3/5 times. It is progressing and beginning to pop up new tabs at random intervals while Firefox is running.

I am unable to run TDSSKiller. It goes 80% of the way to initial run then says Windows is unable to run the program and will look for a solution. Click the Look for Solution tab, and the program just shuts down. This also happens when I rename the file.

I am running Windows Vista, and having trouble with some of these help programs not being given the option to Run as Administrator.

It seems like the program knows what can stop it, and either shuts the program down or Blue Screens the computer and reboots.

I've also tried: MalwareBytes, HiJackThis, RKill (Blue Screens and reboots), ComboFix (which found a problem, fixed it, but the problem remained), Hitman (identified problem, but ignored it/wouldn't fix it). I think that's everything.


IMPORTANT:
During running of GMER, computer Blue Screened and Restarted (after about 20 minutes into the GMER scan). So I'm unable to provide a GMER Scan File here...

Trued GMER again. It went futher, but went haywire finding things while searching: C:\Windows\winsxs\ it went haywire finding things and locked up. I will attach what I could get of an ARK File... which was what it found in the first 5 minutes of running. Everything else couldn't be saved for whatever reason... It also has made my computer unable to open Notepad files or Maximize anything in the system tray at the bottom of the screen.


Here are the logs I could get:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Cubit at 10:46:24.33 on Sat 04/23/2011
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2092 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Cubit\Desktop\Defogger.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Cubit\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mDefault_Page_URL = hxxp://www.msi.com.tw
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\cubit\appdata\roaming\mozilla\firefox\profiles\i2ao38j8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\programfiles\mozilla\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: NASA Night Launch: nasanightlaunch@example.com - %profile%\extensions\nasanightlaunch@example.com
FF - Ext: ImageTweak: {DB2EA31C-58F5-48b7-8D60-CB0739257904} - %profile%\extensions\{DB2EA31C-58F5-48b7-8D60-CB0739257904}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Ant Video Downloader: anttoolbar@ant.com - %profile%\extensions\anttoolbar@ant.com
FF - Ext: ImageHost Grabber: {E4091D66-127C-11DB-903A-DE80D2EFDFE8} - %profile%\extensions\{E4091D66-127C-11DB-903A-DE80D2EFDFE8}
FF - Ext: 4chan: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
.
============= SERVICES / DRIVERS ===============
.
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-12-29 159744]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-12-29 54784]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-12-29 93968]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-12-29 3658752]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-29 43040]
R3 ReallusionVirtualAudio;Reallusion Virtual Audio;c:\windows\system32\drivers\RLVrtAuCbl.sys [2011-4-20 31616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-23 16:49:38 -------- d-----w- c:\users\cubit\appdata\local\Apps
2011-04-23 10:11:47 388096 ----a-r- c:\users\cubit\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-23 10:11:47 -------- d-----w- c:\program files\Trend Micro
2011-04-23 10:02:38 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-23 10:02:11 -------- d-----w- c:\progra~2\Hitman Pro
2011-04-23 09:01:28 -------- d-----w- C:\$RECYCLE(0).BIN
2011-04-23 09:01:26 -------- d-----w- c:\users\cubit\appdata\local\Temp(12)
2011-04-23 08:20:40 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-04-23 07:02:00 -------- d-----w- c:\users\cubit\appdata\roaming\Malwarebytes
2011-04-23 07:01:53 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-22 23:00:35 -------- d-----w- c:\progra~2\redistpart
2011-04-22 23:00:31 -------- d-----w- c:\progra~2\launcher
2011-04-22 23:00:31 -------- d-----w- c:\progra~2\explauncher
2011-04-22 22:59:28 -------- d-----w- c:\program files\Paragon Software
2011-04-22 19:04:21 -------- d--h--w- c:\progra~2\Common Files
2011-04-22 19:02:55 -------- d-----w- c:\progra~2\AVG10
2011-04-22 19:02:00 -------- d-----w- c:\program files\AVG
2011-04-22 18:57:19 -------- d-----w- c:\progra~2\MFAData
2011-04-22 16:39:54 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{66b963e7-1606-4c47-8265-a19514bb4d5e}\mpengine.dll
2011-04-22 07:31:41 97800 ----a-w- c:\windows\system32\infocardapi.dll
2011-04-22 07:31:41 622080 ----a-w- c:\windows\system32\icardagt.exe
2011-04-22 07:31:41 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2011-04-22 07:31:41 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2011-04-22 07:31:40 11264 ----a-w- c:\windows\system32\icardres.dll
2011-04-22 07:31:39 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2011-04-22 07:28:44 158720 ----a-w- c:\windows\system32\mscorier.dll
2011-04-22 07:28:41 83968 ----a-w- c:\windows\system32\mscories.dll
2011-04-22 07:27:53 24064 ----a-w- c:\windows\system32\nshhttp.dll
2011-04-22 07:27:51 411136 ----a-w- c:\windows\system32\drivers\http.sys
2011-04-22 07:27:51 31232 ----a-w- c:\windows\system32\httpapi.dll
2011-04-22 07:27:40 231936 ----a-w- c:\windows\system32\msshsq.dll
2011-04-21 14:33:56 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-21 14:32:59 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-04-21 14:31:56 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2011-04-21 14:24:54 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-04-21 14:24:52 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-21 00:15:34 -------- d-----w- c:\progra~2\Electronic Arts
2011-04-21 00:15:34 -------- d-----w- c:\progra~2\EA Core
2011-04-21 00:12:35 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-04-21 00:12:35 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-04-21 00:12:35 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-04-21 00:12:35 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-04-21 00:12:35 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-04-20 23:55:54 -------- d-----w- c:\program files\Microsoft WSE
2011-04-20 22:37:26 171520 ----a-w- c:\windows\system32\wintrust.dll
2011-04-20 22:37:25 98304 ----a-w- c:\windows\system32\cabview.dll
2011-04-20 22:37:03 -------- d-----w- c:\users\cubit\appdata\local\Mozilla
2011-04-20 22:33:13 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-04-20 22:33:08 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-04-20 22:33:03 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-04-20 22:33:03 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-04-20 22:28:09 -------- d-----w- c:\users\cubit\appdata\local\Toshiba
2011-04-20 22:27:59 -------- d-----w- c:\users\cubit\appdata\roaming\Symantec
2011-04-20 22:27:46 -------- d-----w- c:\users\cubit\appdata\local\Adobe
2011-04-20 22:27:03 -------- d-----w- c:\program files\common files\Ulead Systems
2011-04-20 22:27:02 -------- d-----w- c:\program files\Ulead Systems
2011-04-20 22:23:33 6 ----a-w- c:\windows\silentOnce.tmp
2011-04-20 22:05:06 -------- d-----w- c:\windows\RE_DRIVE
.
==================== Find3M ====================
.
2011-03-10 16:12:54 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 16:12:54 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:00:15 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 12:53:48 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 14:49:43 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-18 15:48:42 833024 ----a-w- c:\windows\system32\wininet.dll
2011-02-18 15:45:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-18 14:09:54 389632 ----a-w- c:\windows\system32\html.iec
2011-02-18 13:48:10 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-16 15:35:41 430080 ----a-w- c:\windows\system32\vbscript.dll
2011-02-16 15:29:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 13:24:56 292864 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 10:46:52.31 ===============

Attached Files


Edited by ebriel, 23 April 2011 - 03:09 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:16 PM

Posted 01 May 2011 - 08:42 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:16 PM

Posted 12 May 2011 - 10:23 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users