Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS & Google redirects in IE and Firefox


  • This topic is locked This topic is locked
2 replies to this topic

#1 ctseattlewa

ctseattlewa

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 30 November 2011 - 03:33 PM

Hello, about 1 week ago I started noticing my Firefox browser redirecting to certain websites when I did a google search. I closed down Firefox and decided to use IE, but it is doing the same thing. I have looked on several forums and was told to download and run several malware programs to quarentine the issues; but none of them detected it, except for a program called Superantispyware which found 60 threats, restarted my comp; and it continues to have the issues.

I was unable to use the Gmer program, as all the upper right hand boxes were greyed out. Please help. Below is my log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Your Name Here at 12:00:25 on 2011-11-30
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.906 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Luth Research\SavvyConnectFramework\bin\dtservice\JavaInvoke.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Luth Research\SavvyConnectFramework\bin\menu\SavvyConnectMenuWTL.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Luth Research Browser Add-on: {e6c6ec35-c04a-42cd-a3a7-4f09fb0f1b76} - c:\program files\luth research\savvyconnectframework\bin\ieplugin\LuthIEPlugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [UIUCU] c:\users\yourna~1\appdata\local\temp\UIUCU.EXE -CLEAN_UP
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SavvyConnectMenu] "c:\program files\luth research\savvyconnectframework\bin\menu\SavvyConnectMenuWTL.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\users\yourna~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\zooskm~1.lnk - c:\program files\zooskmessenger\ZooskMessenger.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{33B04FAD-C0D1-4649-A601-E573D2CD85A1} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B37599B6-85E7-4CB5-B352-33BD8D23250F} : DhcpNameServer = 192.168.42.129
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\your name here\appdata\roaming\mozilla\firefox\profiles\o03nehfx.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-29 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-29 320856]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-29 20568]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-11-29 54616]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-29 44768]
R2 DTService;SavvyConnect Desktop Service;c:\program files\luth research\savvyconnectframework\bin\dtservice\JavaInvoke.exe [2011-6-23 242760]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-7-15 21504]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-3-31 80896]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-29 366152]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-9 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
.
=============== Created Last 30 ================
.
2011-11-30 19:18:16 388096 ----a-r- c:\users\your name here\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-30 19:18:14 -------- d-----w- c:\program files\Trend Micro
2011-11-30 19:08:22 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7ccf752b-57a3-4601-b9c2-b824baa86eee}\offreg.dll
2011-11-30 00:14:15 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-30 00:14:11 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-30 00:12:20 41184 ----a-w- c:\windows\avastSS.scr
2011-11-30 00:11:01 -------- d-----w- c:\programdata\AVAST Software
2011-11-30 00:11:01 -------- d-----w- c:\program files\AVAST Software
2011-11-29 23:30:46 -------- d-----w- c:\users\your name here\appdata\roaming\SUPERAntiSpyware.com
2011-11-29 23:21:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-11-29 23:21:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-29 23:16:27 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7ccf752b-57a3-4601-b9c2-b824baa86eee}\mpengine.dll
2011-11-28 20:14:57 -------- d-s---w- C:\ComboFix
2011-11-28 09:41:04 -------- d-----w- c:\programdata\Hitman Pro
2011-11-28 09:30:31 -------- d-----w- c:\users\your name here\appdata\roaming\Simply Super Software
2011-11-28 09:30:31 -------- d-----w- c:\programdata\Simply Super Software
2011-11-28 09:30:31 -------- d-----w- c:\program files\Trojan Remover
2011-11-28 06:52:09 -------- d-----w- c:\users\your name here\appdata\roaming\Malwarebytes
2011-11-28 06:51:36 -------- d-----w- c:\programdata\Malwarebytes
2011-11-28 06:51:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-26 00:41:56 -------- d--h--w- c:\users\your name here\appdata\local\Research In Motion
2011-11-26 00:41:53 -------- d-----w- c:\users\your name here\appdata\roaming\Research In Motion
2011-11-26 00:38:06 -------- d-----w- c:\programdata\Research In Motion
2011-11-26 00:37:30 -------- d-----w- c:\program files\Research In Motion
2011-11-26 00:37:30 -------- d-----w- c:\program files\common files\Research In Motion
2011-11-16 02:13:13 -------- d--h--w- c:\users\your name here\appdata\roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1
2011-11-11 23:14:58 -------- d-----w- c:\users\your name here\appdata\roaming\OpenOffice.org
2011-11-11 22:29:34 -------- d-----w- c:\program files\OpenOffice.org 3
2011-11-10 02:10:43 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-11-10 02:10:36 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-10 02:10:33 707584 ----a-w- c:\program files\common files\system\wab32.dll
.
==================== Find3M ====================
.
2011-11-16 18:04:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 12:07:34.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:08:35 AM

Posted 03 December 2011 - 04:27 PM

Hello ctseattlewa and welcome to Bleeping Computer!

I apologize for the delay.

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:
  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):
  • TDSSKiller_log.txt
how the PC is running now?


-------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.

-------------

Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:
  • TDSSKiller report
  • C:\ComboFix.txt
  • checkup.txt

How is your computer running now?

#3 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:08:35 AM

Posted 01 August 2012 - 02:02 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users