Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google AD Redirect Virus. Possible Rootkit.


  • This topic is locked This topic is locked
4 replies to this topic

#1 mrfitzmonster

mrfitzmonster

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 12 April 2010 - 11:14 PM

I believe I've contracted at least one virus. Several things have happened.

First, My Vitals

Dell Inspiron 9300
2.13 GHZ Pentium M
2 GB Ram
80 GB HD (6 GB Free)
Windows XP Pro 2002
XP SP 3
SpyBot SD 1.6.0
Comodo 3.14.130099.587
AVG 9.0.801
Firefox 3.6.3
Ran current AdAware from Lavasoft site. Then uninstalled.

I'll give you a time line.



THE LAST MONTH OR SO

Noticed a general slowing of the browser when I clicked on a link. Keep getting a Microsoft error at startup. "Either there is no default mail client installed or the current mail client cannot fulfill the messaging request. Please run Microsoft Outlook and set it as the default mail client." I assume something during startup was trying to use the mail, but on this Laptop I only use Gmail so it couldn't get out. Also getting an error from gmail about connectivity and it has to do something that it doesn't want to do. (http connectivity?? Sorry, this is the one thing I can't dupe and can't remember)



FRIDAY

Started noticing the google ad redirects. Began researching and the first thing told me that my hosts file may have been corrupted, it was. 100's of websites. Mostly porn. Cleared Firefox cache, history and cookies.



SATURDAY

Ordered a cd online from a friend's MySpace website. First pass got me to a PayPal page that was poorly laid out that wanted my ssn and bank acct and credit card numbers. Started to fill it out and remembered the only time I was ever phished was from PayPal. Backed out of that page and tried to get in to pay w/credit card. Got a message back from paypal to try again in 30 minutes. For some reason, this really didn't want to take my CC. Also, I use FireFox and it was giving me a green light for the site. Tried a second pass at ordering and it went thru. Kept working on the problem and didn't get very far.



SUNDAY

All hell breaks loose. Check my phone and have 60 email (normal day is a dozen or so). Bounces from old email addys and responses saying "Hey dude, you got a virus". The bastards are sending them to an online prescription drug site. I post a warning for everyone and keep working at it. Update Spybot SD. It finds 10 or so entries, delete them. Run AVG. It finds cookies for Firefox, delete them. There was a BSOD in there at some point. Run HijackThis. 2nd pass finds several long digit string files that weren't there before. Delete them. Found an online scan at one point. Between it and TeaTimer (which was disabled and I don't know why) I found these results

spyware.iemonster.b
zlob.pornadvertiser.xplisit
trojan. infostealer.banker.s
trojan.zlob.z
trojan.mytob.mailer


I also found this once teatimer was back up and running...


4/12/2010 1:57:35 AM Encountered and terminated Smitfraud-C. in C:\WINDOWS\system32\winlogon.exe!


During this I found you guys on the AdAware site. I had seen some links to you before. It seems like a healthy forum, so I figured you're legit.

Tried to create an account but I couldn't.



TODAY

Got my account created. All of my data is on an external drive (disconnected). If I do have to wipe this machine I can. Downloaded defogger from your website and ran it. It did not ask me to reboot. Ran Gmer and DDS and attached info. One BSOD so far. Deleted temporary internet files AFTER running GMER.

Thanks for your help. First post said file was too big. I've attached the logs and can post them if needed.

Here's the DDS log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Fitz at 0:02:24.60 on Tue 04/13/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1192 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fitz\Desktop\procexp.exe
C:\Documents and Settings\Fitz\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [FireStudio] "c:\program files\presonus firestudio\PreSonus FireControl.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\fitz\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\fitz\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter with srx utility\lcu.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fitz\applic~1\mozilla\firefox\profiles\xxbsxrul.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\fitz\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-21 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-1-7 29512]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-21 242696]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-5-20 134344]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-5-20 25160]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-13 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-5-20 723632]
S3 PaeFireStudio;PreSonus FireStudio;c:\windows\system32\drivers\PaeFireStudio.sys [2009-4-1 124928]
S3 PaeFireStudioAudio;PreSonus FireStudio Audio;c:\windows\system32\drivers\PaeFireStudioAudio.sys [2009-4-1 20992]
S3 PaeFireStudioMidi;PreSonus FireStudio MIDI;c:\windows\system32\drivers\PaeFireStudioMidi.sys [2009-4-1 20608]
S3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2006-5-30 97152]
S3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2006-5-30 24576]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-4-2 23288]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2007-4-6 163840]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-04-12 22:56:02 0 ----a-w- c:\documents and settings\fitz\defogger_reenable
2010-04-12 05:49:43 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-12 05:45:47 0 d-----w- c:\program files\Lavasoft
2010-04-11 23:54:07 0 d-----w- c:\program files\Trend Micro
2010-04-11 20:26:18 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-11 20:26:18 1409 ----a-w- c:\windows\QTFont.for
2010-04-09 07:59:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 07:59:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-09 07:58:52 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-03 19:33:28 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-03 19:33:25 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-04-03 19:33:13 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2010-04-10 03:15:05 93830 ----a-w- c:\windows\system32\nvModes.dat
2010-03-13 11:15:12 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 11:15:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 11:14:26 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-28 10:04:58 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-28 10:04:57 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-28 10:04:55 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-02-22 08:05:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-02-22 08:05:02 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2008-09-08 03:14:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 0:05:40.21 ===============


I tried to upload GMER log, but it said it was too big. If you need it, I'll break it in two.

I literally just ran DDS and GMER a half hour ago. The only thing I have done is look here for a reply. And both files we're downloaded today.

Some one responded to this post about 10 minutes in that looked like a tech. I can't find the post now. ???

This is the 2nd DDS file.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Fitz at 0:02:24.60 on Tue 04/13/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1192 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fitz\Desktop\procexp.exe
C:\Documents and Settings\Fitz\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [FireStudio] "c:\program files\presonus firestudio\PreSonus FireControl.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\fitz\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\fitz\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter with srx utility\lcu.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fitz\applic~1\mozilla\firefox\profiles\xxbsxrul.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\fitz\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-21 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-1-7 29512]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-21 242696]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-5-20 134344]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-5-20 25160]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-13 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-5-20 723632]
S3 PaeFireStudio;PreSonus FireStudio;c:\windows\system32\drivers\PaeFireStudio.sys [2009-4-1 124928]
S3 PaeFireStudioAudio;PreSonus FireStudio Audio;c:\windows\system32\drivers\PaeFireStudioAudio.sys [2009-4-1 20992]
S3 PaeFireStudioMidi;PreSonus FireStudio MIDI;c:\windows\system32\drivers\PaeFireStudioMidi.sys [2009-4-1 20608]
S3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2006-5-30 97152]
S3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2006-5-30 24576]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-4-2 23288]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2007-4-6 163840]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-04-12 22:56:02 0 ----a-w- c:\documents and settings\fitz\defogger_reenable
2010-04-12 05:49:43 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-12 05:45:47 0 d-----w- c:\program files\Lavasoft
2010-04-11 23:54:07 0 d-----w- c:\program files\Trend Micro
2010-04-11 20:26:18 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-11 20:26:18 1409 ----a-w- c:\windows\QTFont.for
2010-04-09 07:59:32 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 07:59:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-09 07:58:52 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-03 19:33:28 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-03 19:33:25 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-04-03 19:33:13 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2010-04-10 03:15:05 93830 ----a-w- c:\windows\system32\nvModes.dat
2010-03-13 11:15:12 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 11:15:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 11:14:26 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-28 10:04:58 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-28 10:04:57 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-28 10:04:55 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-02-22 08:05:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-02-22 08:05:02 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2008-09-08 03:14:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 0:05:40.21 ===============

UPDATE

Tried to run GMER again last night. Machine was crashed when I got up this morning. Have had chkdsk run twice, both times it tells me drive is dirty. I will get that info next time. I will be online after 11pm eastern.

Merged 6 posts. ~ OB

Edited by Orange Blossom, 13 April 2010 - 08:15 PM.

MrFitzMonster

LAPTOP
Dell Inspiron 9300
2.13 GHZ Pentium M
2 GB Ram
80 GB HD (6 GB Free)
Windows XP Pro 2002
XP SP 3
SpyBot SD 1.6.0
Comodo 3.14.130099.587
AVG 9.0.801

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 17 April 2010 - 07:36 AM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 mrfitzmonster

mrfitzmonster
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 19 April 2010 - 11:05 PM

Sorry I didn't respond sooner.

As I went thru the machine I realized that it was REALLY hosed. So I just bit the bullet and removed all of my partitions and reformatted ntfs for windows. That SHOULD take care of it.

I'd like to thank you for getting back to me. I will admit, I expected a faster response, but that is no knock against you guys. You provide a great service and it's worth the wait. If you can. smile.gif

I was wondering if you could tell from the above what I had?? It's not really important, but I am curious.

I know you guys are hella busy because I've run into 3 friends this week that have been hit. What the hell is going on???

Anyway. Thanks for your response and best of luck to you. Keep fighting the good fight.

Fitz
MrFitzMonster

LAPTOP
Dell Inspiron 9300
2.13 GHZ Pentium M
2 GB Ram
80 GB HD (6 GB Free)
Windows XP Pro 2002
XP SP 3
SpyBot SD 1.6.0
Comodo 3.14.130099.587
AVG 9.0.801

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 20 April 2010 - 05:38 PM

We're all volunteers, so we try to help as best we can. Again, sorry for the wait. Hard to say completely what you had without a GMER log, but Zlob and Infostealer are often related and typically come with a rogue antivirus infection. These basically trick you into purchasing their software that doesn't do antyhing...and gives them your credit card number. They often come with a backdoor rootkit, but I can't tell from the logs...GMER would have showed us that. The rootkit and/or Smitfraud (the ohter detection) also reroute Google searches and other links to porn or other advertisers so they make more money. Zlob/Smitfraud are often found posing as codecs you install to play audio/video.

Do you use this computer for financial transactions? If so you may want to let your companies know your account may be compromised. You should keep an eye on your accounts as well.

Again, I can't tell if it's backdoor or not without the GMER log, but just wanted to give you the warning in case.

A full reformat (e.g. not just a reinstall) is the only way to ensure it's completely gone.

Edited by etavares, 20 April 2010 - 05:38 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 25 April 2010 - 06:51 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users