Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox redirect malware problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 stdave

stdave

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 16 January 2009 - 12:34 PM

My problem is with some Malware that causes a redirect in Firefox.
IE7 seems to be fine. In Firefox when I google a couple of words, the browser seems to direct the search words through a site ad1.doubleclicker.net and then routes me to some other site.

I have attempted repair with Spybot, Adaware, SDFix and ComboFix. The problem also occurs in Safe Mode with networking.

Enclosed are the logs produced by DDS;

DDS (Ver_09-01-07.01) - NTFSx86
Run by David at 12:28:00.93 on Fri 01/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.757 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\StarNet\X-Win32 8.1\xwin32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\David\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
uPolicies-system: DisableDocumentsMenu = 0 (0x0)
IE: + Offline &Explorer: Download the link
IE: + Offline E&xplorer: Download the current page
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\cm9ihi5w.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\cm9ihi5w.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\cm9ihi5w.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\cm9ihi5w.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: XUL Cache: {19E8021F-D705-4619-9017-9C7CDFE19DEF} - c:\documents and settings\david\local settings\application data\{19E8021F-D705-4619-9017-9C7CDFE19DEF}

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-1-14 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-1-24 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-1-14 27776]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-1-9 10872]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-1-24 10760]
R1 SftpDrive;SftpDrive;c:\windows\system32\drivers\SftpDrive.sys [2007-2-26 155136]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-1-31 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-1-31 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-1-31 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-1-24 4960]
R4 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2006-4-28 371349]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R4 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [2006-1-31 16288]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\elbyvcd.sys --> c:\windows\system32\drivers\ElbyVCD.sys [?]
S1 Windpdr;Windpdr;\??\c:\windows\system32\drivers\pcm01nt5.sys --> c:\windows\system32\drivers\pcm01nt5.sys [?]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\drivers\adsfilter.sys --> c:\windows\system32\drivers\ADSFilter.sys [?]
S3 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\51.tmp --> c:\windows\system32\51.tmp [?]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
S4 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;d:\cfusionmx\db\slserver52\bin\swagent.exe "coldfusion mx odbc agent" --> d:\cfusionmx\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?]
S4 DeltaCopyService;DeltaCopy Server;c:\program files\synametrics technologies\deltacopy\DCServce.exe [2007-5-16 651776]
S4 THP878;THP878;c:\windows\system32\drivers\Thp878.sys [2006-4-28 58293]

=============== Created Last 30 ================

2009-01-15 10:44 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-15 10:44 1,409 a------- c:\windows\QTFont.for
2009-01-14 16:11 8,192 ---shr-- c:\windows\system\VGAACC.VXD
2009-01-14 16:11 8,192 ---shr-- c:\windows\MSWP.HLP
2009-01-14 16:11 8,192 ---shr-- C:\QA.$$$
2009-01-13 15:57 <DIR> --d----- C:\DriveKey
2009-01-11 10:49 <DIR> --d----- C:\ComboFix
2009-01-11 01:31 <DIR> --d----- c:\docume~1\david\applic~1\GrabPro
2009-01-11 01:29 <DIR> --d----- C:\Downloads
2009-01-10 00:35 <DIR> --d----- c:\docume~1\david\applic~1\Malwarebytes
2009-01-10 00:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-10 00:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 00:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 00:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-08 17:28 <DIR> --d----- c:\docume~1\david\applic~1\DAEMON Tools Pro
2009-01-08 17:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-01-08 17:26 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-01-08 17:26 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-01-08 17:01 <DIR> --d----- c:\program files\Bonjour
2009-01-08 16:45 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-08 16:45 <DIR> --d----- c:\docume~1\david\applic~1\DAEMON Tools Lite
2009-01-08 16:43 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-08 16:05 <DIR> --d----- c:\program files\Undisker
2009-01-03 23:39 <DIR> a-dshr-- C:\cmdcons
2009-01-03 23:35 161,792 a------- c:\windows\SWREG.exe
2009-01-03 23:35 98,816 a------- c:\windows\sed.exe
2009-01-03 22:53 92,672 a------- C:\KillBox.exe
2009-01-03 18:03 <DIR> --d----- C:\VundoFix Backups
2009-01-03 17:11 <DIR> --d----- C:\!KillBox
2009-01-02 14:03 134,656 a------- c:\windows\udopofuy.not
2009-01-02 13:51 40,448 a------- c:\windows\Ixehuva.not
2009-01-02 13:51 40,448 a------- c:\windows\system32\k9261108.exe
2008-12-28 21:59 <DIR> --d----- C:\Temp
2008-12-27 12:38 <DIR> --d----- C:\temp5
2008-12-21 13:10 <DIR> --d----- c:\program files\Amazon

==================== Find3M ====================

2008-12-04 16:52 2,131,968 a------- c:\windows\system32\python26.dll
2008-10-31 17:15 9,646,192 a--shr-- C:\AVG6DB_F.DAT
2008-10-31 17:15 741,888 a------- C:\DaylightSavingFix98.exe
2008-10-31 17:15 454,656 a------- C:\putty.exe
2008-10-31 17:15 512,392 a------- C:\WindowsXP-KB931836-x86-ENU.exe
2008-10-31 17:15 562 a---h--- C:\os722376.bin
2008-06-17 20:06 8 a------- c:\docume~1\david\applic~1\usb.dat
2007-02-09 16:30 40,536 a------- c:\docume~1\david\applic~1\GDIPFONTCACHEV1.DAT
2004-10-12 18:51 1,273,344 a------- c:\documents and settings\david\CloneCD.exe
2006-08-14 10:20 440 a--sh--- c:\windows\dwin.sys
2006-05-03 04:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 05:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 07:43 27,648 ---sh--- c:\windows\system32\Smab0.dll

============= FINISH: 12:28:27.70 ===============

BC AdBot (Login to Remove)

 


#2 stdave

stdave
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 16 January 2009 - 01:56 PM

I found the answer to this problem on bleepingcomputer.com logs - my problem appeared to be goored and was resolved using gooredfix.exe

Thanks to all who reviewed by request.

#3 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:12:05 PM

Posted 18 January 2009 - 03:08 PM

I found the answer to this problem on bleepingcomputer.com logs - my problem appeared to be goored and was resolved using gooredfix.exe

Thanks for letting us know. :thumbup2:

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users