Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox redirects to ads - am I clear?


  • This topic is locked This topic is locked
2 replies to this topic

#1 -Vector-

-Vector-

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 01 June 2010 - 11:29 PM

Hey all,

I had that nasty virus with firefox redirecting to other websites, particularly when using google search. Looks like there are a few active threads on this even now. This was actually the *last* vestige of a virus I thought I had completely removed. I'd appreciate if someone glanced at my combofix log below and let me know if there's anything suspicious, as this is the first time I've used combofix. The redirecting issue appears to be fixed, but I haven't surfed too much yet.

STEPS ALREADY TAKEN. I'm pretty good with this stuff usually...
[acquired virus/malware yesterday approximately 1:30pm cst. Still don't remember clicking a link / installing / downloading something I shouldnt..]
1. HijackThis, removed 3-4 foreign entries.
2. mconfig-->startup, removed foreign entries.
3. Downloaded rkill, ran it.
4. Downloaded and ran MBAM, restarted in safe mode, ran MBAM again. 0 problems on the 2nd run.
5. Had firefox redirecting issue (only remaining symptom). Tried to download combofix. Was unable to do so; turned out McAfee was preventing me from downloading ANY files. In fact, I think half the symptoms were from McAee.. idiotic.
6. Disabled all McAfee functions, ran combofix. Instructions said if you don't know what you're doing, post! So here I am.

7. Only suspicious thing on there is that seupd.exe ; uploaded to VirusTotal to check, but frankly don't understand the output. I think it means some programs think this file is a virus? Analysis here:
http://www.virustotal.com/analisis/e919804...b338-1275276179


Combofix log:


ComboFix 10-06-01.01 - shermanm 06/01/2010 22:40:28.1.4 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1849 [GMT -5:00]
Running from: c:\dls\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Crytya.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-05-31 20:58 . 2010-05-31 21:17 -------- d-----w- c:\users\shermanm\AppData\Roaming\Mathematica
2010-05-31 20:58 . 2010-05-31 21:17 -------- d-----w- c:\programdata\Mathematica
2010-05-31 20:58 . 2010-05-31 21:16 -------- d-----w- c:\users\shermanm\AppData\Local\Mathematica
2010-05-31 20:58 . 2010-05-31 20:58 -------- d-----w- c:\windows\Downloaded Installations
2010-05-31 20:57 . 2008-11-11 02:53 185640 ----a-w- c:\windows\system32\mlmodule32.dll
2010-05-31 20:57 . 2008-11-11 02:53 378152 ----a-w- c:\windows\system32\ml32i3.dll
2010-05-31 20:57 . 2008-11-11 02:53 267560 ----a-w- c:\windows\system32\ml32i2.dll
2010-05-31 20:57 . 2008-11-11 02:53 255272 ----a-w- c:\windows\system32\ml32i1.dll
2010-05-31 20:56 . 2010-05-31 20:58 -------- d-----w- c:\program files\Wolfram Research
2010-05-31 20:42 . 2010-05-31 20:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-31 20:42 . 2010-05-31 20:42 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-05-31 20:41 . 2010-05-31 20:54 -------- d-----w- c:\users\shermanm\AppData\Roaming\DAEMON Tools Lite
2010-05-31 20:41 . 2010-05-31 20:41 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-05-31 18:43 . 2010-05-31 18:43 -------- d-----w- c:\users\shermanm\AppData\Roaming\Malwarebytes
2010-05-31 18:43 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-31 18:43 . 2010-05-31 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 18:43 . 2010-05-31 18:43 -------- d-----w- c:\programdata\Malwarebytes
2010-05-31 18:43 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-31 18:33 . 2010-05-31 18:33 -------- d-----w- c:\programdata\Update
2010-05-31 18:33 . 2010-05-31 18:33 -------- d-----w- c:\users\shermanm\AppData\Local\tfiuqgqhv
2010-05-30 13:51 . 2010-05-30 13:51 315208 ----a-w- c:\programdata\Update\seupd.exe
2010-05-26 01:25 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 19:57 . 2010-05-25 19:57 -------- d-----w- C:\SoftThinks
2010-05-11 21:16 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 03:29 . 2009-10-05 21:14 -------- d-----w- c:\users\shermanm\AppData\Roaming\Dropbox
2010-05-31 21:13 . 2009-07-31 16:26 82256 ----a-w- c:\users\shermanm\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-25 20:29 . 2009-07-28 05:13 -------- d-----w- c:\programdata\NVIDIA
2010-05-24 18:22 . 2009-09-02 19:58 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 08:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-14 14:56 . 2009-09-03 23:59 8484 ----a-w- c:\users\shermanm\AppData\Local\d3d9caps.dat
2010-04-14 08:20 . 2009-07-28 05:08 -------- d-----w- c:\program files\McAfee
2010-03-26 15:33 . 2010-04-15 16:48 1496064 ----a-w- c:\users\shermanm\AppData\Roaming\Mozilla\Firefox\Profiles\ud9oygdk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 15:33 . 2010-04-15 16:48 43008 ----a-w- c:\users\shermanm\AppData\Roaming\Mozilla\Firefox\Profiles\ud9oygdk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 15:33 . 2010-04-15 16:48 339456 ----a-w- c:\users\shermanm\AppData\Roaming\Mozilla\Firefox\Profiles\ud9oygdk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 15:32 . 2010-04-15 16:48 346112 ----a-w- c:\users\shermanm\AppData\Roaming\Mozilla\Firefox\Profiles\ud9oygdk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\12647\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\12647\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\12647\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\12647\AcrobatUpdater.exe
2010-03-11 18:11 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-05 14:01 . 2010-04-14 00:43 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-07-28 07:34 . 2009-04-11 17:43 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\shermanm\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\shermanm\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\shermanm\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2009-05-05 109088]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4702208]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-19 203296]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2009-04-17 165104]
"DSUpdateLauncher"="c:\program files\Dell DataSafe Local Backup\Components\DSUpdate\runhstart.bat" [2009-03-09 374]

c:\users\shermanm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\shermanm\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-25 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-04-24 16:05 250192 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:9c,3d,2c,4f,47,c1,ca,01

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-05-31 691696]
S2 SftService;SoftThinks Agent Service;c:\program files\Dell DataSafe Local Backup\sftservice.EXE [2009-04-17 636144]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\shermanm\AppData\Roaming\Mozilla\Firefox\Profiles\ud9oygdk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rlz=1R0GGGL_en&hl=en&source=iglk
FF - component: c:\users\shermanm\AppData\Roaming\Mozilla\Firefox\Profiles\ud9oygdk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\shermanm\AppData\Roaming\Mozilla\Firefox\Profiles\ud9oygdk.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\users\shermanm\AppData\Roaming\Mozilla\Firefox\Profiles\ud9oygdk.default\extensions\refractor@developer.mozilla.org\components\prism.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-gotnewupdate000 - c:\users\shermanm\AppData\Roaming\F31FE0068C2F1E24E3024CF17249D1D3\gotnewupdate000.exe
MSConfigStartUp-MChk - c:\windows\system32\rmxuayof.exe
MSConfigStartUp-skb - xvxxmlhr.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-01 22:48
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\shermanm\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2010-06-01 22:49:27
ComboFix-quarantined-files.txt 2010-06-02 03:49

Pre-Run: 374,414,286,848 bytes free
Post-Run: 373,598,883,840 bytes free

- - End Of File - - 05827C020414ACAD7B5D5BC68D9B3C05



What do you think? Am I in the clear?

THANKS. Also, thanks to all the frequent bleepingComputer posters, I read a dozen or so threads on this site that helped me get to this point.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 05 June 2010 - 09:32 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 17 June 2010 - 08:20 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users