Invisible Infection

Discussion in 'System Security & Infection Support' started by Hummingbird, Sep 26, 2010.

  1. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    Hey all - so for the past few weeks I've been having popups from Firefox. At first I am redirected to dynamicwebstreams.com or lynxtrack.com and then immediately to some ad site. I Googled it and apparently it's a very well hidden virus/worm/rootkit. I've downloaded half a dozen different anti-virus/anti-rootkit programs and they find nothing. I did find a site with very complex directions about altering the registry, but I'd prefer not to delve into that. Is there any other way to get rid of this thing? Here's my HijackThis log if it's worth anything:


    ******************************************************************************

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:54:55 PM, on 9/25/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
    C:\Program Files\Sunbelt Software\CounterSpy\SBAMUI.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\Cynthia\Desktop\HijackThis(2).exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\IPSBHO.DLL
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coIEPlg.dll
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe"
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10i_Plugin.exe -update plugin
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    O4 - Global Startup: WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
    O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBPIMSvc.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    End of file - 7392 bytes

    ***************************************************************************


    During the scan it said for some reason access was denied to the 'Hosts' file and thus wouldn't be able to scan/fix anything in that file. That concerns me. Anyway . . . any help is appreciated!


    Thanks!

    Cynthia :)
     
    Hummingbird, Sep 26, 2010
    #1
    1. Advertisements

  2. Hummingbird

    S Walch MAME 0.64 :) VIP Member

    Joined:
    Jun 2, 2003
    Messages:
    1,026
    Likes Received:
    14
    Location:
    Manchester
    Definitely sounds like a Rootkit.

    Have you tried TDSSKiller? - http://support.kaspersky.com/downloads/utils/tdsskiller.zip

    I can't see anything on your HiJackthis log, and it may be best that you give us a list of the programmes that you've downloaded to try and get rid of this thing so we all don't end up recommending ones you've already tried :)
     
    S Walch, Sep 26, 2010
    #2
    1. Advertisements

  3. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    Hello - so I just tried TDSSKiller and it found no infection. I've also tried these progs:

    Registry Mechanic, Free Windows Registry Repair, CounterSpy, MalwareBytes Anti-Malware, Sophos Anti-Rootkit, AVG Anti-Rootkit, and Bazooka (which SUCKS).

    Any ideas?
     
    Hummingbird, Sep 26, 2010
    #3
  4. Hummingbird

    S Walch MAME 0.64 :) VIP Member

    Joined:
    Jun 2, 2003
    Messages:
    1,026
    Likes Received:
    14
    Location:
    Manchester
    Do the popups only happen on FF, or is it cross browser?

    If it's only FF, then uninstall it, use registry mechanic to remove any trace of it from the registry, and then reinstall and see if that helps.

    If it doesn't, and it's just on FF, then using a different browser would be okay.

    Failing that, I'm afraid it's a backup of your files and a re-installation of Windows =/

    Unless someone can think of another scan you can do, I'm afraid I think you've tried most of the best.

    There's a few other Anti-Rootkits around: Avira Anti-Rootkit | F-Secure BlackLight Rootkit Eliminator

    And there's loads more software stuff on http://www.antirootkit.com/
     
    S Walch, Sep 26, 2010
    #4
  5. Hummingbird

    Goober THQ's Jester Moderator

    Joined:
    Jul 26, 2004
    Messages:
    2,864
    Likes Received:
    35
    Location:
    Colorado
    Take a look here (just copy and paste it):

    Go to Start then click on run

    C:\Windows\System32\drivers\etc\hosts

    Open it with notepad, there should only be one or two entries
     
    Goober, Sep 28, 2010
    #5
  6. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    I think it is cross-browser . . . ok I did the Start>Run thing and this is what it said:




    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
    ::1 localhost



    Any further tips?
     
    Hummingbird, Sep 28, 2010
    #6
  7. Hummingbird

    Goober THQ's Jester Moderator

    Joined:
    Jul 26, 2004
    Messages:
    2,864
    Likes Received:
    35
    Location:
    Colorado
    Try SuperAntiSpyware and I'll think of some other things later today. You can just run the portable scanner.
     
    Goober, Sep 30, 2010
    #7
  8. Hummingbird

    Hummingbird VIP Member

    Joined:
    Nov 8, 2003
    Messages:
    329
    Likes Received:
    3
    Location:
    Ohio, USA
    Well I think I got it figured out! NO idea how it got installed, but there was a Firefox Add-On called something like "Dynamic Media" - I uninstalled and have had no problems for 3 days now! Thanks, though, guys!

    Cynthia :)
     
    Hummingbird, Oct 3, 2010
    #8
  9. Hummingbird

    Goober THQ's Jester Moderator

    Joined:
    Jul 26, 2004
    Messages:
    2,864
    Likes Received:
    35
    Location:
    Colorado
    Huh, would have never guessed. Congrats on solving it and letting us know what it was.
     
    Goober, Oct 5, 2010
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.