 Firefox Hijack, It's back again... |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
  Jan 13 2009, 03:47 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 4 Joined: 16-December 08 Member No.: 270,572  |
Basically I noticed some funny business around Dec 1st when NOD32 started firing off warnings about a score of viruses it had all of a sudden found. I'm pretty sure this came from some drive-by browser breach because not too long before that [maybe 10 minutes?] I had encountered some web page that was a real pain to close and had all the signs of one of those rogue antispyware/antivirus peddling sites. Well so I figured NOD32 had taken care of the problem, but I guess it should have occurred to me then that the delayed response was merely one to side effects and not the initial infection. So fast forward to around Dec 10-15th or so. I started noticing that every so often links from Google search results would take me to odd sites that had nothing to do with the descriptions. I checked the urls on the actual links and they had not been obscured to fool me into thinking they were legitimate - instead they were going to "goougle.com" and used a redirect from there. I checked my network connections with tcpviewer and found something similar to my attached globox.jpg image. This happened when searching in either IE or Firefox. Ok so now I know something's up for sure. I do a full scan with NOD32 and come up with nothing. I boot into safe mode and try again. Still nothing, so after Spybot and Adaware scans I started searching the internet. I found a post similar to my problem [don't have a link right now] and it seemed like a lot of people were recommending Malwarebyte's for a good spyware removal tool. I still thought Spybot and Adaware were good, but apparently they've really fallen off. =P Well so I'm getting fed up with this infection and boot into safe mode and run a Malwarebyte's scan and it found a good handful of things. I can't remember why I ran it so many different times, but all three logfiles are attached for reference. Well then I noticed that IE no longer has the globoxhost connection during searches [and the resulting symptoms are absent as well!], but unfortunately Firefox is still plagued by the issue. So I decide it's time to come here and really see what HJT is all about. I read the newbie instructions and see that you recommend running the online Kaspersky virus scan as an optional step, so I run it and it finds an additional infected file. I couldn't delete it then so I used an alternate boot method and got rid of it. I still have globox madness. Finally I turn my attention to Firefox itself. Maybe there's some addon or extension that's giving me this trouble. I start it in safe mode and search and it works fine! I tried disabling all of my addons etc and running normally, but it didn't work so I finally just resorted to backing up by bookmarks and uninstalling. After a reinstall all was fine. Great. Fast forward to a few days ago. It's back, and now uninstalling and whatever else isn't working. I noticed some other weird things when the infection began as well; for instance the Java VM started up and I recently noticed a Vuze Launcher listing in my Add/Remove Programs dialogue. From what I understand Vuze is the new name for the bittorrent client Azureus and I have never installed either one. From what I read, though, Vuze uses Java, so maybe the attack uses Vuze to download new trojans to my system? I have since uninstalled the old versions of Java I still had on my system in case there are any vulnerabilities for attack. I scanned with NOD32 again and find nothing...again. I uninstall and start trying other AV packages. I read good things about Norton 2009 so I installed a trial and it found one thing. Avira found a few more. Kaspersky found even more. I am including my self-made log combining all of these finds, but with Kaspersky naming conventions [bleeping.computer.txt]. Anywho I think I've already written a novel here, and I may not get any help because of that, but if you need anymore info let me know. I'll try to remember any other details and post them as they come to mind. Thanks for taking the time to read. =) DDS LOG: DDS (Ver_09-01-07.01) - NTFSx86 Run by soydeedo at 14:00:07.26 on Tue 01/13/2009 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1282 [GMT -6:00] AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) FW: Kaspersky Internet Security *enabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\srvany.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\pvsw\bin\w3dbsmgr.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Cyberlink\Shared Files\brs.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\soydeedo\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe C:\Documents and Settings\soydeedo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\soydeedo\Desktop\proggies\TcpView\Tcpview.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\soydeedo\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033 uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount uRun: [SansaDispatch] c:\documents and settings\soydeedo\application data\sandisk\sansa updater\SansaDispatch.exe uRun: [Google Update] "c:\documents and settings\soydeedo\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe mRun: [CTHelper] CTHELPER.EXE mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe" mRun: [<NO NAME>] mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe" mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe mRun: [PeachtreePrefetcher.exe] "c:\progra~1\sageso~1\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\soydeedo\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: turbotax.com Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Notify: klogon - c:\windows\system32\klogon.dll AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\soydeedo\applic~1\mozilla\firefox\profiles\sio0nu1k.default\ FF - plugin: c:\documents and settings\soydeedo\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll FF - HiddenExtension: XUL Cache: {E4FC5F79-11E2-42AE-B604-EFA295467364} - c:\documents and settings\soydeedo\local settings\application data\{E4FC5F79-11E2-42AE-B604-EFA295467364} FF - HiddenExtension: XUL Cache: {B960E45E-5A4A-41A8-B67A-27A619881891} - c:\windows\system32\config\systemprofile\local settings\application data\{b960e45e-5a4a-41a8-b67a-27a619881891}\ ============= SERVICES / DRIVERS =============== R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872] R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784] R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2008-3-11 179584] R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2008-3-11 49536] R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-1-12 227344] R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-3-8 40928] R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-3-8 27776] R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592] R3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\system32\drivers\VBoxTAP.sys [2008-3-8 47552] R4 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-1-30 41456] R4 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088] R4 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2008-3-28 13864] S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-6-18 386688] S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2008-3-8 30656] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000] =============== Created Last 30 ================ 2009-01-13 05:55 73,728 a------- c:\windows\system32\javacpl.cpl 2009-01-12 23:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-01-12 23:36 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-01-12 23:36 <DIR> --d----- c:\docume~1\soydeedo\applic~1\SUPERAntiSpyware.com 2009-01-12 02:09 96,976 a------- c:\windows\system32\drivers\klin.dat 2009-01-12 02:09 87,855 a------- c:\windows\system32\drivers\klick.dat 2009-01-12 02:08 9,286,176 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-01-12 02:08 729,120 a--sh--- c:\windows\system32\drivers\fidbox2.dat 2009-01-12 02:08 74,676 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-01-12 02:08 4,620 a--sh--- c:\windows\system32\drivers\fidbox2.idx 2009-01-12 02:08 <DIR> --d----- c:\program files\Kaspersky Lab 2009-01-12 02:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab 2009-01-12 02:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files 2009-01-11 18:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec 2009-01-11 18:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton 2009-01-11 18:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller 2009-01-11 18:26 <DIR> --d----- c:\program files\Avira GmbH 2009-01-11 02:25 <DIR> --d----- c:\windows\system32\appmgmt 2009-01-10 07:31 <DIR> --d----- c:\program files\ThreatFire 2009-01-10 07:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools 2009-01-04 14:14 <DIR> --d----- c:\windows\system32\AGEIA 2009-01-04 14:14 203,188 a------- c:\windows\system32\nvapps.xml 2009-01-04 14:14 18,537 a------- c:\windows\system32\nvdisp.nvu 2009-01-04 13:48 664 a------- c:\windows\system32\d3d9caps.dat 2009-01-02 06:37 453,152 a------- c:\windows\system32\nvudisp.exe 2008-12-17 12:11 <DIR> --d----- c:\program files\trend micro 2008-12-16 15:46 5,702 a---h--- c:\windows\nod32restoretemdono.reg ==================== Find3M ==================== 2009-01-13 05:55 410,984 a------- c:\windows\system32\deploytk.dll 2008-12-02 10:13 453,152 a------- c:\windows\system32\NVUNINST.EXE 2008-11-23 21:54 215,616 a------- c:\windows\system32\drivers\truecrypt.sys 2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll 2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll 2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll 2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll 2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll 2008-09-30 23:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat ============= FINISH: 14:01:29.84 ===============
Attached File(s)
bleeping.computer.txt ( 224bytes )
Number of downloads: 1
Attach.txt ( 12.6k )
Number of downloads: 1
globox.JPG ( 179.01k )
Number of downloads: 2
mbam_log_2008_12_12__13_19_00_.txt ( 1.12k )
Number of downloads: 1
mbam_log_2008_12_16__12_20_06_.txt ( 1.11k )
Number of downloads: 1
mbam_log_2009_01_10__06_11_58_.txt ( 1.36k )
Number of downloads: 1 |
 |
 
|
|
Jan 13 2009, 04:04 PM
Post
#2
|
|
 Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408 |
Hi,
1. Please download GooredFix and save it to your Desktop.
-------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum. |
|
|
|
|
Jan 13 2009, 04:37 PM
Post
#3
|
|
|
New Member Group: Members Posts: 4 Joined: 16-December 08 Member No.: 270,572 |
Thanks for the quick reply. =)
Here are the results of GooredFix: GooredFix v1.82 by jpshortstuff Log created at 15:32 on 13/01/2009 running Option #2 (soydeedo) Firefox version 3.0.5 (en-US) =====Goored Deletions===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{B960E45E-5A4A-41A8-B67A-27A619881891}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B960E45E-5A4A-41A8-B67A-27A619881891}\" ->Backing up value... Done. ->Deleting value... Done. C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B960E45E-5A4A-41A8-B67A-27A619881891}\ ->Backing up folder... Done. ->Emptying folder... Failed. ->Deleting folder... Failed. ->Delete on reboot... Set. [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{E4FC5F79-11E2-42AE-B604-EFA295467364}"="C:\Documents and Settings\soydeedo\Local Settings\Application Data\{E4FC5F79-11E2-42AE-B604-EFA295467364}" ->Backing up value... Done. ->Deleting value... Done. C:\Documents and Settings\soydeedo\Local Settings\Application Data\{E4FC5F79-11E2-42AE-B604-EFA295467364} ->Backing up folder... Done. ->Emptying folder... Done. ->Deleting folder... Done. =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" =====Reboot===== C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B960E45E-5A4A-41A8-B67A-27A619881891}" ->Unable to find folder. |
|
|
|
|
Jan 13 2009, 04:44 PM
Post
#4
|
|
|
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408 |
Hi,
This looks OK again. How are things now? -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum. |
|
|
|
|
Jan 13 2009, 04:56 PM
Post
#5
|
|
|
New Member Group: Members Posts: 4 Joined: 16-December 08 Member No.: 270,572 |
Well it certainly looks like it's fixed. I'll keep tcpviewer open over the next couple days just to be sure, since it's been absent sporadically and come back again in the past, but for now everything looks good. Thanks a lot, miekie. =)
PS - I had even tried Super AntiSpyware and Spyware Doctor 6 and neither of them caught this either. I guess you have to catch it before infection. I'm getting a subscription to Kaspersky since it seems to be a bit stricter than NOD32 was, and maybe that'll keep me from getting infected next time. |
|
|
|
|
Jan 13 2009, 05:14 PM
Post
#6
|
|
|
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408 |
It should be gone now though. It was indeed an extension in your Firefox, but a hidden one.
QUOTE FF - HiddenExtension: XUL Cache: {E4FC5F79-11E2-42AE-B604-EFA295467364} - c:\documents and settings\soydeedo\local settings\application data\{E4FC5F79-11E2-42AE-B604-EFA295467364} FF - HiddenExtension: XUL Cache: {B960E45E-5A4A-41A8-B67A-27A619881891} - c:\windows\system32\config\systemprofile\local settings\application data\{b960e45e-5a4a-41a8-b67a-27a619881891}\ Both folders {E4FC5F79-11E2-42AE-B604-EFA295467364} and {b960e45e-5a4a-41a8-b67a-27a619881891} should be gone now (deleted by gooredfix) -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum. |
|
|
|
|
Jan 13 2009, 06:14 PM
Post
#7
|
|
|
New Member Group: Members Posts: 4 Joined: 16-December 08 Member No.: 270,572 |
Well it was still looking a bit odd, and while it wasn't going to globoxhost anymore it was pulling up more connections than either IE or Chrome, so I navigated to those two directory locations manually. The first one was gone already, but the second was still there. I deleted it, but it didn't go to the recycling bin...that still worries me a bit, but maybe that's policy for items in the system32 dir. After that I uninstalled Firefox, rebooted, reinstalled, and checked that directory one last time. Looks clean and GooredFix option 1 yields no suspect entries, but I'll keep my eyes peeled.
It kinda makes sense since GooredFix originally said this in the option 2 log: QUOTE =====Reboot===== C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B960E45E-5A4A-41A8-B67A-27A619881891}" ->Unable to find folder. So there may be some other program deleting the folder at startup and then engaging it later, but nothing has been identified by Kaspersky for now. It should hopefully tell me if the registry entry has been made at least, so here's hoping. I'll keep you updated. Thanks again for all your help! This post has been edited by soydeedo: Jan 13 2009, 06:16 PM |
|
|
|
|
Jan 14 2009, 03:27 AM
Post
#8
|
|
|
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408 |
Glad I could help.
 Please read my Prevention page with lots of info and tips how to prevent this in the future. And if you want to improve speed/system performance after malware removal, take a look here. Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. Happy Surfing again! -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum. |
|
|
|
|
Jan 16 2009, 05:46 AM
Post
#9
|
|
|
Malware Killer Dog Group: HJT Team Posts: 18,450 Joined: 18-February 05 From: Belgium Member No.: 12,408 |
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum. |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 08:08 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.