Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google AD Redirect Virus. Possible Rootkit. Smitfraud, zlob, etc.


  • Please log in to reply
No replies to this topic

#1 mrfitzmonster

mrfitzmonster

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:58 AM

Posted 13 April 2010 - 11:16 PM

I believe I've contracted at least one of the following viruses.


spyware.iemonster.b
zlob.pornadvertiser.xplisit
trojan. infostealer.banker.s
trojan.zlob.z
trojan.mytob.mailer


I also found this once teatimer was back up and running...

4/12/2010 1:57:35 AM Encountered and terminated Smitfraud-C. in C:WINDOWSsystem32winlogon.exe!

Several things have happened.

First, My Vitals

Dell Inspiron 9300
2.13 GHZ Pentium M
2 GB Ram
80 GB HD (6 GB Free)
Windows XP Pro 2002
XP SP 3
SpyBot SD 1.6.0
Comodo 3.14.130099.587
AVG 9.0.801
Firefox 3.6.3
Ran current AdAware from Lavasoft site. Then uninstalled.

I'll give you a time line.



THE LAST MONTH OR SO

Noticed a general slowing of the browser when I clicked on a link. Keep getting a Microsoft error at startup. "Either there is no default mail client installed or the current mail client cannot fulfill the messaging request. Please run Microsoft Outlook and set it as the default mail client." I assume something during startup was trying to use the mail, but on this Laptop I only use Gmail so it couldn't get out. Also getting an error from gmail about connectivity and it has to do something that it doesn't want to do. (http connectivity?? Sorry, this is the one thing I can't dupe and can't remember)



FRIDAY

Started noticing the google ad redirects. Began researching and the first thing told me that my hosts file may have been corrupted, it was. 100's of websites. Mostly porn. Cleared Firefox cache, history and cookies.



SATURDAY

Ordered a cd online from a friend's MySpace website. First pass got me to a PayPal page that was poorly laid out that wanted my ssn and bank acct and credit card numbers. Started to fill it out and remembered the only time I was ever phished was from PayPal. Backed out of that page and tried to get in to pay w/credit card. Got a message back from paypal to try again in 30 minutes. For some reason, this really didn't want to take my CC. Also, I use FireFox and it was giving me a green light for the site. Tried a second pass at ordering and it went thru. Kept working on the problem and didn't get very far.



SUNDAY

All hell breaks loose. Check my phone and have 60 email (normal day is a dozen or so). Bounces from old email addys and responses saying "Hey dude, you got a virus". The bastards are sending them to an online prescription drug site. I post a warning for everyone and keep working at it. Update Spybot SD. It finds 10 or so entries, delete them. Run AVG. It finds cookies for Firefox, delete them. There was a BSOD in there at some point. Run HijackThis. 2nd pass finds several long digit string files that weren't there before. Delete them. Found an online scan at one point. Between it and TeaTimer (which was disabled and I don't know why) I found these results

spyware.iemonster.b
zlob.pornadvertiser.xplisit
trojan. infostealer.banker.s
trojan.zlob.z
trojan.mytob.mailer


I also found this once teatimer was back up and running...


4/12/2010 1:57:35 AM Encountered and terminated Smitfraud-C. in C:WINDOWSsystem32winlogon.exe!


During this I found you guys on the AdAware site. I had seen some links to you before. It seems like a healthy forum, so I figured you're legit.

Tried to create an account but I couldn't.



TODAY

Got my account created. All of my data is on an external drive (disconnected). If I do have to wipe this machine I can. Downloaded defogger from your website and ran it. It did not ask me to reboot. Ran Gmer and DDS and attached info. One BSOD so far. Deleted temporary internet files AFTER running GMER.

Thanks for your help. [attachment=53426:DDS2.txt]
MrFitzMonster

LAPTOP
Dell Inspiron 9300
2.13 GHZ Pentium M
2 GB Ram
80 GB HD (6 GB Free)
Windows XP Pro 2002
XP SP 3
SpyBot SD 1.6.0
Comodo 3.14.130099.587
AVG 9.0.801

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users