Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Hijack


  • This topic is locked This topic is locked
8 replies to this topic

#1 soydeedo

soydeedo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 13 January 2009 - 03:47 PM

Hi there. I've known about these forums for some time through random google results and always thought it was so cool of you folks to give your time and help people out with their computer problems. Well the time has come for me to ask for help as well. =/

Basically I noticed some funny business around Dec 1st when NOD32 started firing off warnings about a score of viruses it had all of a sudden found. I'm pretty sure this came from some drive-by browser breach because not too long before that [maybe 10 minutes?] I had encountered some web page that was a real pain to close and had all the signs of one of those rogue antispyware/antivirus peddling sites. Well so I figured NOD32 had taken care of the problem, but I guess it should have occurred to me then that the delayed response was merely one to side effects and not the initial infection.

So fast forward to around Dec 10-15th or so. I started noticing that every so often links from Google search results would take me to odd sites that had nothing to do with the descriptions. I checked the urls on the actual links and they had not been obscured to fool me into thinking they were legitimate - instead they were going to "goougle.com" and used a redirect from there. I checked my network connections with tcpviewer and found something similar to my attached globox.jpg image. This happened when searching in either IE or Firefox. Ok so now I know something's up for sure. I do a full scan with NOD32 and come up with nothing. I boot into safe mode and try again. Still nothing, so after Spybot and Adaware scans I started searching the internet.

I found a post similar to my problem [don't have a link right now] and it seemed like a lot of people were recommending Malwarebyte's for a good spyware removal tool. I still thought Spybot and Adaware were good, but apparently they've really fallen off. =P Well so I'm getting fed up with this infection and boot into safe mode and run a Malwarebyte's scan and it found a good handful of things. I can't remember why I ran it so many different times, but all three logfiles are attached for reference.

Well then I noticed that IE no longer has the globoxhost connection during searches [and the resulting symptoms are absent as well!], but unfortunately Firefox is still plagued by the issue. So I decide it's time to come here and really see what HJT is all about. I read the newbie instructions and see that you recommend running the online Kaspersky virus scan as an optional step, so I run it and it finds an additional infected file. I couldn't delete it then so I used an alternate boot method and got rid of it. I still have globox madness.

Finally I turn my attention to Firefox itself. Maybe there's some addon or extension that's giving me this trouble. I start it in safe mode and search and it works fine! I tried disabling all of my addons etc and running normally, but it didn't work so I finally just resorted to backing up by bookmarks and uninstalling. After a reinstall all was fine. Great.

Fast forward to a few days ago. It's back, and now uninstalling and whatever else isn't working. I noticed some other weird things when the infection began as well; for instance the Java VM started up and I recently noticed a Vuze Launcher listing in my Add/Remove Programs dialogue. From what I understand Vuze is the new name for the bittorrent client Azureus and I have never installed either one. From what I read, though, Vuze uses Java, so maybe the attack uses Vuze to download new trojans to my system? I have since uninstalled the old versions of Java I still had on my system in case there are any vulnerabilities for attack.

I scanned with NOD32 again and find nothing...again. I uninstall and start trying other AV packages. I read good things about Norton 2009 so I installed a trial and it found one thing. Avira found a few more. Kaspersky found even more. I am including my self-made log combining all of these finds, but with Kaspersky naming conventions [bleeping.computer.txt].

Anywho I think I've already written a novel here, and I may not get any help because of that, but if you need anymore info let me know. I'll try to remember any other details and post them as they come to mind.

Thanks for taking the time to read. =)

DDS LOG:


DDS (Ver_09-01-07.01) - NTFSx86
Run by soydeedo at 14:00:07.26 on Tue 01/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1282 [GMT -6:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\soydeedo\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Documents and Settings\soydeedo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\soydeedo\Desktop\proggies\TcpView\Tcpview.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\soydeedo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [SansaDispatch] c:\documents and settings\soydeedo\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [Google Update] "c:\documents and settings\soydeedo\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [PeachtreePrefetcher.exe] "c:\progra~1\sageso~1\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\soydeedo\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\soydeedo\applic~1\mozilla\firefox\profiles\sio0nu1k.default\
FF - plugin: c:\documents and settings\soydeedo\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - HiddenExtension: XUL Cache: {E4FC5F79-11E2-42AE-B604-EFA295467364} - c:\documents and settings\soydeedo\local settings\application data\{E4FC5F79-11E2-42AE-B604-EFA295467364}
FF - HiddenExtension: XUL Cache: {B960E45E-5A4A-41A8-B67A-27A619881891} - c:\windows\system32\config\systemprofile\local settings\application data\{b960e45e-5a4a-41a8-b67a-27a619881891}\

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2008-3-11 179584]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2008-3-11 49536]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-1-12 227344]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-3-8 40928]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-3-8 27776]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\system32\drivers\VBoxTAP.sys [2008-3-8 47552]
R4 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-1-30 41456]
R4 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R4 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2008-3-28 13864]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2008-6-18 386688]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2008-3-8 30656]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-01-13 05:55 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-12 23:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-12 23:36 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-12 23:36 <DIR> --d----- c:\docume~1\soydeedo\applic~1\SUPERAntiSpyware.com
2009-01-12 02:09 96,976 a------- c:\windows\system32\drivers\klin.dat
2009-01-12 02:09 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-01-12 02:08 9,286,176 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-12 02:08 729,120 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-01-12 02:08 74,676 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-12 02:08 4,620 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-01-12 02:08 <DIR> --d----- c:\program files\Kaspersky Lab
2009-01-12 02:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-01-12 02:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-01-11 18:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-01-11 18:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-01-11 18:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-11 18:26 <DIR> --d----- c:\program files\Avira GmbH
2009-01-11 02:25 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-10 07:31 <DIR> --d----- c:\program files\ThreatFire
2009-01-10 07:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-01-04 14:14 <DIR> --d----- c:\windows\system32\AGEIA
2009-01-04 14:14 203,188 a------- c:\windows\system32\nvapps.xml
2009-01-04 14:14 18,537 a------- c:\windows\system32\nvdisp.nvu
2009-01-04 13:48 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-02 06:37 453,152 a------- c:\windows\system32\nvudisp.exe
2008-12-17 12:11 <DIR> --d----- c:\program files\trend micro
2008-12-16 15:46 5,702 a---h--- c:\windows\nod32restoretemdono.reg

==================== Find3M ====================

2009-01-13 05:55 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-02 10:13 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-11-23 21:54 215,616 a------- c:\windows\system32\drivers\truecrypt.sys
2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 23:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 14:01:29.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:00 PM

Posted 13 January 2009 - 04:04 PM

Hi,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 soydeedo

soydeedo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 13 January 2009 - 04:37 PM

Thanks for the quick reply. =)

Here are the results of GooredFix:

GooredFix v1.82 by jpshortstuff
Log created at 15:32 on 13/01/2009 running Option #2 (soydeedo)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B960E45E-5A4A-41A8-B67A-27A619881891}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B960E45E-5A4A-41A8-B67A-27A619881891}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B960E45E-5A4A-41A8-B67A-27A619881891}\
->Backing up folder... Done.
->Emptying folder... Failed.
->Deleting folder... Failed.
->Delete on reboot... Set.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{E4FC5F79-11E2-42AE-B604-EFA295467364}"="C:\Documents and Settings\soydeedo\Local Settings\Application Data\{E4FC5F79-11E2-42AE-B604-EFA295467364}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\soydeedo\Local Settings\Application Data\{E4FC5F79-11E2-42AE-B604-EFA295467364}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

=====Reboot=====

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B960E45E-5A4A-41A8-B67A-27A619881891}"
->Unable to find folder.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:00 PM

Posted 13 January 2009 - 04:44 PM

Hi,

This looks OK again.
How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 soydeedo

soydeedo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 13 January 2009 - 04:56 PM

Well it certainly looks like it's fixed. I'll keep tcpviewer open over the next couple days just to be sure, since it's been absent sporadically and come back again in the past, but for now everything looks good. Thanks a lot, miekie. =)

PS - I had even tried Super AntiSpyware and Spyware Doctor 6 and neither of them caught this either. I guess you have to catch it before infection. I'm getting a subscription to Kaspersky since it seems to be a bit stricter than NOD32 was, and maybe that'll keep me from getting infected next time.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:00 PM

Posted 13 January 2009 - 05:14 PM

It should be gone now though. It was indeed an extension in your Firefox, but a hidden one.

FF - HiddenExtension: XUL Cache: {E4FC5F79-11E2-42AE-B604-EFA295467364} - c:\documents and settings\soydeedo\local settings\application data\{E4FC5F79-11E2-42AE-B604-EFA295467364}
FF - HiddenExtension: XUL Cache: {B960E45E-5A4A-41A8-B67A-27A619881891} - c:\windows\system32\config\systemprofile\local settings\application data\{b960e45e-5a4a-41a8-b67a-27a619881891}\


Both folders {E4FC5F79-11E2-42AE-B604-EFA295467364} and {b960e45e-5a4a-41a8-b67a-27a619881891} should be gone now (deleted by gooredfix)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 soydeedo

soydeedo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 13 January 2009 - 06:14 PM

Well it was still looking a bit odd, and while it wasn't going to globoxhost anymore it was pulling up more connections than either IE or Chrome, so I navigated to those two directory locations manually. The first one was gone already, but the second was still there. I deleted it, but it didn't go to the recycling bin...that still worries me a bit, but maybe that's policy for items in the system32 dir. After that I uninstalled Firefox, rebooted, reinstalled, and checked that directory one last time. Looks clean and GooredFix option 1 yields no suspect entries, but I'll keep my eyes peeled.

It kinda makes sense since GooredFix originally said this in the option 2 log:

=====Reboot=====

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B960E45E-5A4A-41A8-B67A-27A619881891}"
->Unable to find folder.


So there may be some other program deleting the folder at startup and then engaging it later, but nothing has been identified by Kaspersky for now. It should hopefully tell me if the registry entry has been made at least, so here's hoping. I'll keep you updated.

Thanks again for all your help!

Edited by soydeedo, 13 January 2009 - 06:16 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:00 PM

Posted 14 January 2009 - 03:27 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:00 PM

Posted 16 January 2009 - 05:46 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users