Jump to content

Redirect/tdss


Recommended Posts

MBAM detected TDSS and rogue multiple AV. I fixed it but on reboot it was still there. Ran AVG and fixed the problems it detected.Ran MBAM again and still the same problem.Ran tds killer followed by mbam and now tdss is not detected but I am still being redirected with firefox and sometimes new tabs will open themselves going to odd sites. Ran GMER but when I tried to save the log the PC froze.The 2nd time with gmer cause an instant blue screen and the 3rd time again froze the PC.

DDS:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Grumpy at 7:52:20.37 on Wed 04/07/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.450 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Grumpy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/

mWinlogon: SFCDisable=-99 (0xffffff9d)

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\grumpy\applic~1\mozilla\firefox\profiles\4pr0ylg0.default\

FF - component: c:\documents and settings\grumpy\application data\mozilla\firefox\profiles\4pr0ylg0.default\extensions\{bc04b34e-5dd8-465a-a5e0-86f7c11bc009}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\grumpy\application data\mozilla\firefox\profiles\4pr0ylg0.default\extensions\{bc04b34e-5dd8-465a-a5e0-86f7c11bc009}\components\RadioWMPCore.dll

FF - component: c:\documents and settings\grumpy\application data\mozilla\firefox\profiles\4pr0ylg0.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\sony online entertainment\station launcher\npsoe.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-6 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-6 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-6 242696]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-6 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-6 308064]

S3 efipsk;efipsk;\??\c:\docume~1\grumpy\locals~1\temp\efipsk.sys --> c:\docume~1\grumpy\locals~1\temp\efipsk.sys [?]

S4 AMDFusionSVC;AMD Fusion Utility Service;c:\program files\amd\amd fusion utility for desktops\FusionSVC.exe [2009-9-8 383544]

S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-16 25832]

S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-04-06 21:50:13 0 ----a-w- c:\documents and settings\grumpy\defogger_reenable

2010-04-06 12:44:52 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-04-06 12:23:44 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL

2010-04-06 12:23:44 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX

2010-04-06 12:23:43 0 d-----w- c:\program files\SpywareBlaster

2010-04-06 12:13:54 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-06 11:58:31 0 d--h--w- C:\$AVG

2010-04-06 08:18:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-04-06 08:18:29 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-06 08:18:27 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-04-06 08:18:17 0 d-----w- c:\windows\system32\drivers\Avg

2010-04-06 08:18:02 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-03-16 07:21:15 23 ----a-w- c:\windows\BlendSettings.ini

==================== Find3M ====================

2010-04-06 21:26:13 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-29 14:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-29 14:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-18 09:30:20 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat

2009-05-18 09:30:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat

2009-05-18 09:30:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051820090519\index.dat

2009-05-18 09:30:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 7:53:29.20 ===============

Attach.txt

Link to post
Share on other sites

Hi Grumpytoo And Welcome to Malwarebytes!

Sounds like this rootkit has replaced your ide driver file with malware. Lets see.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

I'd like you to check (a file/some files) for Viruses.

c:\windows\explorer.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\ctfmon.exe
Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.
Repeat for all files on the list, and post me the details please

Link to post
Share on other sites

c:\windows\explorer.exe - no virus found ( analisis/96214ea2356ac16f258946223cfdbb6cff6f44a51425fa86ab10abbedd330a71-1262220408 )

c:\windows\system32\winlogon.exe - 2/41 results - eSafe 7.0.17.0 2010.01.05 Win32.Banker ;

McAfee-GW-Edition 6.8.5 2010.01.05 Heuristic.LooksLike.Win32.Esploeo.J .

( analisis/5786d04a702ff48ad28fb9e055a6c86509b8c9a01e9b9b6c8b531c6483e79819-1262734005 )

c:\windows\system32\ctfmon.exe 3/41 results : Authentium 5.2.0.5 2010.02.20 W32/Dropper.ASNB

eSafe 7.0.17.0 2010.02.18 Win32.Banker

F-Prot 4.5.1.85 2010.02.20 W32/Dropper.ASNB

analisis/e1e11638ca6670c45287101da8fe5be9dbb258e19e7397493ffcc750e02a09d1-1266752880

Link to post
Share on other sites

Some of your system critical files are not passing Windows Signature Verification? Perhaps your got copies of files from other machines with a different OS. Or not with the same services packs. Lets see.

Please run the MGA Diagnostic Tool and post back the report it creates:

  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

Link to post
Share on other sites

Diagnostic Report (1.9.0019.0):

-----------------------------------------

WGA Data-->

Validation Status: Geographically blocked PID

Validation Code: 13

Cached Validation Code: N/A

Windows Product Key: *****-*****-WGYJY-HHYDH-KKX9B

Windows Product Key Hash: wxqOMJsR+LRtbxR3p9MmRqRwfUk=

Windows Product ID: 76487-640-0427404-23437

Windows Product ID Type: 1

Windows License Type: Volume

Windows OS version: 5.1.2600.2.00010100.3.0.pro

ID: {FDAFC751-242A-4DC7-8A50-975DB71B7936}(1)

Is Admin: Yes

TestCab: 0x0

WGA Version: N/A, hr = 0x80070002

Signed By: N/A, hr = 0x80070002

Product Name: N/A

Architecture: N/A

Build lab: N/A

TTS Error: N/A

Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Resolution Status: N/A

WgaER Data-->

ThreatID(s): N/A

Version: N/A

WGA Notifications Data-->

Cached Result: N/A, hr = 0x80070002

File Exists: No

Version: N/A, hr = 0x80070002

WgaTray.exe Signed By: N/A, hr = 0x80070002

WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->

Cached Result: N/A, hr = 0x80070002

Version: N/A, hr = 0x80070002

OGAExec.exe Signed By: N/A, hr = 0x80070002

OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->

Office Status: 109 N/A

OGA Version: N/A, 0x80070002

Signed By: N/A, hr = 0x80070002

Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1

Browser Data-->

Proxy settings: N/A

User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)

Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe

Download signed ActiveX controls: Prompt

Download unsigned ActiveX controls: Disabled

Run ActiveX controls and plug-ins: Allowed

Initialize and script ActiveX controls not marked as safe: Disabled

Allow scripting of Internet Explorer Webbrowser control: Disabled

Active scripting: Allowed

Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

File Mismatch: C:\WINDOWS\system32\winlogon.exe[5.1.2600.5512]

File Mismatch: C:\WINDOWS\system32\setupapi.dll[5.1.2600.5508]

Other data-->

Office Details: <GenuineResults><MachineData><UGUID>{FDAFC751-242A-4DC7-8A50-975DB71B7936}</UGUID><Version>1.9.0019.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-KKX9B</PKey><PID>76487-640-0427404-23437</PID><PIDType>1</PIDType><SID>S-1-5-21-1757981266-879983540-1801674531</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0808 </Version><SMBIOSVersion major="2" minor="4"/><Date>20080327000000.000000+000</Date></BIOS><HWID>98E8390F01008068</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>E. Australia Standard Time(GMT+10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>haiter</name><model>XP-Windows7</model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->

N/A

Windows Activation Technologies-->

N/A

HWID Data-->

N/A

OEM Activation 1.0 Data-->

BIOS string matches: yes

Marker string from BIOS: 14FF0:ASUSTeK Computer Inc

Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->

N/A

Link to post
Share on other sites

  • Root Admin

Well I'm sorry but since you have evidence of cracked or pirated software you're using on the system I have no choice but to close this thread now.

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.