Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google Links Hijacking with Firefox 3.5.5


  • This topic is locked This topic is locked
3 replies to this topic

#1 RickSmith

RickSmith

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 10 December 2009 - 02:04 PM

This whole thing began last weekend, (the weekend of 12/04/09). On Friday, 12/04/09 I noticed that Windows Update kept telling me that there was an update for Visual Studio 2008 SP1. Problem was, I had downloaded and installed that update numerous times before that. No matter what I did, Windows Update kept telling me that that update was available to be installed.

Next, I decided to remove Visual Studio 2008 to eliminate the Windows Update issues. I was able to remove all of the updates. Then I got down to Visual Studio (VS) 2008 itself. I couldn't uninstall it. I kept getting an error that VS_SETUP.MSI was missing. I couldn't find that file anywhere on my machine nor on another machine (XP) that has VS 2008 installed on it.

Next, I got the idea to search for VS_SETUP.MSI on the Internet. So I did some Google searches. I found several places that *claimed* they had it. I picked one and went to download it. I found out I would have to pay $1.99 for a "7 day trial" to download the file. I decided to pay the $1.99 because this was becoming a real annoyance and I just wanted it fixed.

When I got to the download section of the site, I couldn't find VS_SETUP.MSI but found VSSETUPMSI.ZIP or something like that. It claimed to have the latest "patches." (I *knew* this wasn't sounding right but I was so determined to get this issue fixed, I went ahead anyway.) So I downloaded the zip file.

When I opened the zip file, there were files in there with names that didn't match what I was expecting. But I was *so* determined by now to get this fixed, I went ahead and ran SETUP.EXE from the zip file. BIG mistake! Suddenly, I didn't have control of my machine. I was now being told by the malware "Security Tool" that my machine had all these infections. I knew that wasn't correct because I keep my anti-virus and spyware definitions up to date. Earlier in the week, I had just replaced AVG Free with Microsoft Security Essentials. And I had Windows Defenders running as well (though I noticed its service had started shutting down on its own).

I went to an uninfected machine and searched Google for the cure to Security Tool. I found out that MalwareBytes Anti-Malware would remove Security Tool. So I ran MBAM and got Security Tool off the machine. By this time, it was Saturday evening (12/5). While I was browsing the Internet, I noticed that there seemed to be some browser hijacking going on in Firefox 3.5.5 (which is the browser I use 95% of the time).

I noticed that most of the time the redirection occurred to IP address 64.111.196.114. Oftentimes the redirection would then go to sites like the following:
hxxp://www.pctools.com/spyware-doctor/?ref=lookst1&utm_source=lookst1&utm_medium=cpc&utm_term=hijacker

This seemed to happen most often when I was using Firefox 3.5.5 and I attempted to select a link on fixing browser hijacking. I eventually noticed that the browser hijacking didn't occur in IE 8.0.

Anyway, I was able to do some further research and eventually found that sometimes the HOSTS file gets hacked by these malware components. I located my HOSTS file and in there saw the following:

127.0.0.1 localhost
:: localhost

Thinking that the :: localhost line was a hack, I removed it. I tested the links again. It seemed to be fixed. The rest of the weekend was uneventful. Monday morning, 12/7, I discovered that the browser hijacking was back (if it was ever even fixed). Again, I began to research everything I could find on fixing browser hijacking. None of it worked. I've run HijackThis and had it uninstall BHOs (as recommended by other computer professionals). I've run ComboFix as suggested by these same folks. I've run Ad-Aware. I've run Spybot S&D. Yesterday, I ran a *6 hour* scan with MS Malicious Software removal tool.

None of these tools have found anything of significance other than a few cookies. Finally, I kept seeing this forum come up over and over in my searching. So, here I am, hat in hand :(, asking for your assistance in correcting this annoying issue. I've followed your steps from your Preparation Guide. Here's the contents of the DDS.TXT file:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rick at 22:00:57.98 on Wed 12/09/2009
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.1982.882 [GMT -7:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\itunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Windows\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\JoomlaPack Native Tools\JoomlaPackRemote.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PMAIL\winpm-32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Rick\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search 2\toolbar\ToolbarContainer101000313.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {968631B6-4729-440D-9BF4-251F5593EC9A} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Copernic Desktop Search - Home] "c:\program files\copernic desktop search 2\DesktopSearchService.exe" /tray
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\users\rick\appdata\roaming\micros~1\windows\startm~1\programs\startup\automa~1.lnk - c:\troopmaster software\automailer\AutoMailer.exe
StartupFolder: c:\users\rick\appdata\roaming\micros~1\windows\startm~1\programs\startup\joomla~1.lnk - c:\program files\joomlapack native tools\JoomlaPackRemote.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\datavi~1.lnk - c:\windows\dvzcommon\DvzMsgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 7\SnagIt32.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\rick\appdata\roaming\mozilla\firefox\profiles\dsine41y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1734448&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Free Traffic Bar Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\rick\appdata\roaming\mozilla\firefox\profiles\dsine41y.default\extensions\{0ed0633c-a54d-47f1-94e7-5bded41ae674}\components\FFExternalAlert.dll
FF - component: c:\users\rick\appdata\roaming\mozilla\firefox\profiles\dsine41y.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\rick\appdata\roaming\mozilla\firefox\profiles\dsine41y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\rick\appdata\roaming\mozilla\firefox\profiles\dsine41y.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-8 64288]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-6-17 47640]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6 216032]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-9 1153368]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42480]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2008-7-8 31712]

=============== Created Last 30 ================

2009-12-10 03:19:24 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-10 01:58:25 0 d-----w- c:\programdata\NOS
2009-12-09 10:06:23 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 10:06:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 10:06:21 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 05:36:59 0 d-----w- C:\SDFix
2009-12-09 05:15:49 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 21:53:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-08 19:49:18 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-08 19:47:41 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-08 19:47:19 0 d-----w- c:\programdata\Lavasoft
2009-12-08 16:12:01 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-08 16:11:54 0 d-----w- c:\users\rick\appdata\roaming\SUPERAntiSpyware.com
2009-12-08 16:11:54 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-08 04:46:20 0 d-----w- c:\program files\DietOrganizer 2.0
2009-12-08 04:42:27 3120 ----a-w- c:\windows\system32\YQFL9QUF.ocx
2009-12-08 04:42:27 3120 ----a-w- c:\windows\DCVRVG5R.ocx
2009-12-08 04:39:10 0 d-----w- c:\programdata\NutriBase
2009-12-08 04:39:01 0 d-----w- c:\windows\NutriBase
2009-12-08 04:39:01 0 d-----w- c:\program files\NutriBase
2009-12-07 23:29:21 0 d-sh--w- C:\$RECYCLE.BIN
2009-12-07 23:08:01 98816 ----a-w- c:\windows\sed.exe
2009-12-07 23:08:01 77312 ----a-w- c:\windows\MBR.exe
2009-12-07 23:08:01 260608 ----a-w- c:\windows\PEV.exe
2009-12-07 23:08:01 161792 ----a-w- c:\windows\SWREG.exe
2009-12-06 02:15:16 0 d-----w- c:\program files\Trend Micro
2009-12-05 23:42:39 0 d-----w- c:\users\rick\appdata\roaming\Malwarebytes
2009-12-05 23:42:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-05 23:42:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-05 23:42:31 0 d-----w- c:\programdata\Malwarebytes
2009-12-05 23:42:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 22:47:10 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-12-05 18:57:27 0 d-----w- c:\program files\VS Revo Group
2009-12-05 18:50:58 1196 --sha-w- c:\windows\system32\1719669866
2009-12-05 18:50:56 817 ----a-w- c:\windows\system32\919618618
2009-12-05 18:36:11 0 d-----w- c:\users\rick\Incomplete
2009-12-04 22:42:32 0 d-----w- c:\programdata\PreEmptive Solutions
2009-12-04 21:59:42 0 d-----w- c:\programdata\Office Genuine Advantage
2009-12-02 15:06:56 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-12-02 15:06:53 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-02 15:06:29 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-12-02 15:06:29 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-12-02 15:06:26 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-12-02 10:05:24 0 d-----w- c:\program files\CE Remote Tools
2009-12-02 10:00:47 0 d-----w- c:\windows\SQL9_KB970892_ENU
2009-12-01 15:43:22 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-01 15:21:23 0 d-----w- c:\programdata\avg7
2009-11-26 10:00:37 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-26 10:00:21 0 d-----w- c:\program files\MSXML 4.0
2009-11-25 17:06:53 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 17:06:53 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-22 03:05:53 0 d-----w- c:\programdata\Real
2009-11-11 22:07:34 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 22:07:33 355328 ----a-w- c:\windows\system32\WSDApi.dll

==================== Find3M ====================

2009-12-02 04:12:36 208868 ----a-w- c:\users\rick\appdata\roaming\nvModes.dat
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-14 01:01:28 60744 ----a-w- c:\users\rick\g2mdlhlpx.exe
2009-11-03 03:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-02 01:34:43 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-02 01:34:43 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-02 01:34:42 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-09-24 04:42:48 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-24 04:42:48 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-24 04:42:48 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-09-24 04:33:06 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-09-24 04:21:47 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2008-06-24 15:55:01 174 --sh--w- c:\program files\desktop.ini
2007-12-08 20:52:39 190 ----a-w- c:\program files\common files\psasetup.log
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2003-08-27 20:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

============= FINISH: 22:02:38.05 ===============

I attempted to run RootRepeal numerous times and could never get it to complete. I got errors from RootRepeal like "Couldn't Read Our Index Block." I was able to get a crash log from one of the runs. Here's that crash log.

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP2
Exception Code: 0xc0000005
Exception Address: 0x00456d83
Attempt to read from address: 0x00000114

I've attached ATTACH.TXT to this post as well.

I certainly hope you folks can help me resolve this issue. If you can't, I'll be forced to format the drive and reinstall everything. And of course, that's not a prospect I relish.

Thanks in advance for your assistance.

Rick

Attached Files


Edited by Orange Blossom, 10 December 2009 - 11:12 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:01 PM

Posted 22 December 2009 - 12:54 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 RickSmith

RickSmith
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 23 December 2009 - 11:20 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.


Thanks for getting back to me. You can mark this issue as fixed. To fix it, I removed all my Firefox plugins, uninstalled Firefox, and then reinstalled everything. The browser hijacking was then gone.

Then I created another disk image. :(

Thanks again.

Rick

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:01 PM

Posted 23 December 2009 - 01:34 PM

Thanks for letting me know :(

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users