Tech Support Forum - View Single Post - Google Hijacked by virus....browser shuts down

dcogent1 · 11-14-2008, 06:36 PM

OMG....new to this forum.....I am having a fit with this computer...I have tried to run all types of antivirus software and nothing works...evry time I open up IE and do a search I get a banner at the top saying that I have been infected by some type of spyware with som stupid youtube porn link beneath it, no matter what I search for. Then when I gclick the desired results I get redirected to one oftwo of te same pages telling me that I have been infected and need to get a scan....soooooo frustrating...It took so much patience to get to this site to post my thread after a whole day of being redirected and clicking the back button, then I frequently get the message that my IE has encountered a serrious problem and needs to close....soo much trouble......I read and followed the instructions before I posted this so here are my reults......I am in despirate measures, time to let the experts handle it...help please!!!

System:
Microsoft Windows XP
Home Edition
Version 2002
Service pack 3

I cant find out where to attach my Attach.txt and
gmer.txt file....maybe because I had to stop the page while it was loading before I got redirected, so I will copy and paste tem....sorry if thats bad!!

DDS (Version 1.0) - NTFSx86
Run by Josh at 16:31:09.59 on Fri 11/14/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.111.37 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Josh\Desktop\New Folder\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60327
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
mWinlogon: SFCDisable=4 (0x4)
BHO: {17D562A6-DA3D-4F87-B659-86CD06473AB5} - c:\windows\system32\dzhoil.dll
BHO: {2E3603DE-A5C8-4B8D-85AF-FA160D18B1CC} -
BHO: {8F912529-E236-4B9A-8EAB-BED43FF4C66C} -
BHO: {B7C234D8-1DE7-4414-B4B9-F9EF76A46FCA} -
BHO: {B7FA8E6E-64F9-3C58-DA58-3CE607870C9C} -
BHO: {d440c7f2-a7f4-4e14-a15f-b09850a25d08} -
BHO: {E7EE986D-504C-4429-E9AB-8AB1C653514B} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: jkkiihe - jkkiihe.dll
Notify: winlft32 - winlft32.dll
AppInit_DLLs: c:\windows\system32\ldcore.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbxut.dll

============= SERVICES / DRIVERS ===============

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys
S2 DomainService;DomainService;

============== File Associations ===============

inifile=NOTEDAD.EXE %1
regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2008-11-14 16:23 250 a------- c:\windows\gmer.ini
2008-11-14 05:23 141,312 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2008-11-14 05:23 <DIR> --d----- c:\docume~1\josh\applic~1\Spyware Terminator
2008-11-14 05:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-11-14 05:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2008-11-14 05:22 <DIR> --d----- c:\program files\Spyware Terminator
2008-11-14 05:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-11-14 05:21 <DIR> --d----- c:\docume~1\josh\applic~1\SUPERAntiSpyware.com
2008-11-14 05:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-13 17:18 61,440 a------- c:\windows\system32\dzhoil.dll
2008-11-13 16:30 <DIR> --d----- c:\windows\pss
2008-11-13 03:56 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-13 03:55 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-02 19:24 <DIR> --d----- c:\windows\system32\scripting
2008-11-02 19:24 <DIR> --d----- c:\windows\l2schemas
2008-11-02 19:24 <DIR> --d----- c:\windows\system32\en
2008-11-02 19:24 <DIR> --d----- c:\windows\system32\bits
2008-11-02 19:21 <DIR> --d----- c:\windows\ServicePackFiles
2008-11-02 19:17 <DIR> --d----- c:\windows\network diagnostic
2008-11-02 19:00 <DIR> --d----- c:\windows\EHome
2008-11-02 13:08 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2008-11-02 13:08 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-02 13:08 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2008-11-02 13:08 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2008-11-02 13:08 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2008-11-02 13:08 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2008-11-02 13:08 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2008-11-02 13:08 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-02 13:08 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2008-11-02 11:03 1,060,864 a------- c:\windows\system32\MFC71.dll
2008-11-02 08:54 999 -c------ c:\windows\system32\dllcache\bktrh.gif
2008-11-02 08:12 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2008-11-02 08:12 272,128 -------- c:\windows\system32\drivers\bthport.sys
2008-11-02 08:12 138,496 -c------ c:\windows\system32\dllcache\afd.sys
2008-11-02 08:12 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-11-02 08:11 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2008-11-02 08:11 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-11-02 08:11 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2008-11-02 08:11 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-02 08:11 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-02 08:10 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-02 08:10 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-02 08:07 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll

==================== Find3M ====================

2008-11-14 15:27 <DIR> --d----- c:\program files\BitTorrent
2008-11-14 15:26 <DIR> --d----- c:\program files\Image-Line
2008-11-14 15:26 <DIR> --d----- c:\program files\VstPlugins
2008-11-13 16:42 1,536 ac------ c:\windows\system32\TrueSoft.dat
2008-11-02 19:35 <DIR> --d----- c:\program files\Messenger
2008-11-02 19:29 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-02 19:20 <DIR> --d----- c:\program files\Windows NT
2008-11-02 11:47 <DIR> --d----- c:\program files\Online Services
2008-11-02 11:42 <DIR> --d----- c:\program files\common files\??mantec
2008-11-02 11:06 80,730 ---sh--- c:\windows\system32\tuxbc.ini2
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 09:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-25 23:24 826,368 a------- c:\windows\system32\wininet.dll
2007-12-09 19:36 <DIR> --d----- c:\docume~1\josh\applic~1\BitTorrent
2007-12-08 09:27 <DIR> --d----- c:\docume~1\josh\applic~1\Sunbelt Software
2007-12-05 20:23 <DIR> --d----- c:\docume~1\josh\applic~1\PC Tools
2007-08-22 19:50 <DIR> --d----- c:\docume~1\josh\applic~1\LimeWire
2007-05-27 09:16 <DIR> --d----- c:\docume~1\josh\applic~1\Inside Amok
2007-05-12 08:57 <DIR> --d----- c:\docume~1\josh\applic~1\HotSync
2007-12-03 22:57 69,593 ---sh--- c:\windows\system32\tuxbc.bak1
2008-03-09 11:48 233,805 ---sh--- c:\windows\system32\tuxbc.bak2

============= FINISH: 16:32:16.81 ===============

Attach dds log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/10/2007 11:39:22 PM
System Uptime: 11/14/2008 4:26:11 PM (0 hours ago)

Motherboard: ECS | | K7SOM+
Processor: AMD Athlon(tm) XP 1500+ | Slot-1 | 1350/100mhz
BIOS: Default System BIOS | AMIINT - 1000 | 07.00T | 4/1/2001 5:00:00 PM

==== Disk Partitions =========================

C: is FIXED (NTFS) - 38 GiB total, 27.64 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP76: 11/2/2008 8:41:48 AM - Software Distribution Service 3.0
RP77: 11/2/2008 8:34:30 AM - Removed AVG 7.5
RP78: 11/2/2008 8:45:55 AM - Installed AVG 7.5
RP79: 11/2/2008 1:13:03 PM - Software Distribution Service 3.0
RP80: 11/2/2008 1:23:02 PM - Installed Windows NLSDownlevelMapping.
RP81: 11/2/2008 1:26:40 PM - Installed Windows IDNMitigationAPIs.
RP82: 11/2/2008 1:32:45 PM - Installed Windows Internet Explorer 7.
RP83: 11/2/2008 1:35:21 PM - Software Distribution Service 3.0
RP84: 11/2/2008 1:58:40 PM - Software Distribution Service 3.0
RP85: 11/2/2008 6:26:35 PM - Software Distribution Service 3.0
RP86: 11/3/2008 6:30:22 AM - Software Distribution Service 3.0
RP87: 11/13/2008 6:59:42 AM - System Checkpoint
RP88: 11/13/2008 4:11:25 PM - Software Distribution Service 3.0
RP89: 11/13/2008 5:16:24 PM - Removed Microsoft Silverlight
RP90: 11/13/2008 9:25:46 PM - Software Distribution Service 3.0
RP91: 11/14/2008 5:21:27 AM - Installed SUPERAntiSpyware Free Edition
RP92: 11/14/2008 7:01:40 AM - Spyware Terminator - restore point
RP93: 11/14/2008 8:30:10 AM - Removed Google Toolbar for Internet Explorer

==== Installed Programs ======================

Adobe Acrobat 4.0
Adobe Flash Player ActiveX
Hotfix for Windows XP (KB952287)
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
HSP56 MR Drivers
J2SE Runtime Environment 5.0 Update 3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Photosmart Printer 130,230,7150,7350,7550 (Remove only)
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SiS 650_651_M650_740
Spyware Terminator
SUPERAntiSpyware Free Edition
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
WebFldrs XP
WinAce Archiver
Windows Internet Explorer 7
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages ===================

11/13/2008 5:18:09 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
11/13/2008 5:00:02 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
11/13/2008 4

00 PM, error: Service Control Manager [7034] - The avast! Web Scanner service terminated unexpectedly. It has done this 1 time(s).
11/13/2008 4:05:07 PM, error: PlugPlayManager [11] - The device Root\LEGACY_WINIO\0000 disappeared from the system without first being prepared for removal.
11/13/2008 4:04:13 PM, error: Service Control Manager [7000] - The avast! Web Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/13/2008 4:04:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! Web Scanner service to connect.
11/13/2008 4:01:23 PM, error: Dhcp [1002] - The IP address lease 192.168.1.66 for the Network Card with network address 000AE6F5F189 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/13/2008 3:05:57 PM, error: System Error [1003] - Error code 100000d1, parameter1 fc4f6e80, parameter2 00000002, parameter3 00000000, parameter4 fc4f6e80.
11/13/2008 3:03:50 PM, error: PlugPlayManager [11] - The device Root\LEGACY_SISPORT\0000 disappeared from the system without first being prepared for removal.
11/13/2008 3:00:04 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
11/13/2008 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
11/13/2008 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
11/13/2008 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
11/13/2008 11:00:01 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
11/13/2008 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
11/13/2008 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
11/13/2008 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
11/13/2008 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
11/13/2008 6:00:05 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
11/13/2008 5:00:13 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
11/13/2008 4:00:02 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
11/13/2008 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
11/13/2008 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
11/13/2008 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
11/13/2008, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
11/12/2008 11:00:04 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
11/12/2008 10:00:05 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
11/12/2008 9:00:06 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
11/12/2008 8:00:02 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
11/12/2008 7:58:41 PM, error: System Error [1003] - Error code 100000d1, parameter1 fc5dae80, parameter2 00000002, parameter3 00000000, parameter4 fc5dae80.
11/13/2008 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
11/13/2008 6:32:00 PM, error: Service Control Manager [7034] - The avast! Web Scanner service terminated unexpectedly. It has done this 2 time(s).
11/13/2008 7:00:14 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
11/13/2008 9:27:33 PM, error: Dhcp [1002] - The IP address lease 192.168.5.3 for the Network Card with network address 000AE6F5F189 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/14/2008 9:33:01 AM, error: Dhcp [1002] - The IP address lease 192.168.5.2 for the Network Card with network address 000AE6F5F189 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/14/2008 3:28:15 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avast! Antivirus service.
11/14/2008 3:28:43 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
11/14/2008 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
11/14/2008 4:28:10 PM, error: System Error [1003] - Error code 10000050, parameter1 fdc28000, parameter2 00000000, parameter3 f934ab91, parameter4 00000000.

==== End Of File ===========================

GMER Scan log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-14 16:48:42
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xFA752606]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xFA75205A]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xFA751D3C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xFA753652]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xFA751E46]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xFA751F30]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xFA7528CC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xFA752362]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xFA751BBA]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xFA738F20]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xFA752494]

---- EOF - GMER 1.0.14 ----