Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirecting Virus?


  • This topic is locked This topic is locked
2 replies to this topic

#1 Boomer671

Boomer671

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 10 November 2010 - 04:56 AM

Hey There,
My browser (Firefox) keeps redirecting me to fake anti-virus sites and various attack pages, I've attempted to clean it my self using various anti-viruses and anti-spyware these include Spybot Search and Destroy, Malwarebytes Anti-Malware and avast. These all keep coming up clean but the browser still keeps redirecting me to bad sites also when its just about to redirect me svchost.exe takes up nearly 100% of the CPU and one of the svchost.exe's takes up an abnormal amount of the computers RAM (100mb).
Here's the DDS log (I have also attached it to the topic)
DDS (Ver_10-11-09.01) - NTFSx86
Run by user at 8:58:30.71 on 10/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.315 [GMT 0:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gngretail.com/
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
IFEO: acrord32.exe - "c:\program files\tuneup utilities 2011\TUAutoReactivator32.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\iynvlfwm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\iynvlfwm.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\iynvlfwm.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\iynvlfwm.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCore.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}(2)
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-26 165584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-11-8 532224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-26 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-26 40384]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-9-2 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-9-2 493048]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-10-27 1483072]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-26 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-26 40384]
S3 cpudrv;cpudrv;\??\c:\program files\systemrequirementslab\cpudrv.sys --> c:\program files\systemrequirementslab\cpudrv.sys [?]
S3 IBIJE;IBIJE;c:\docume~1\user\locals~1\temp\IBIJE.exe [2010-10-26 441216]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 PORTMON;PORTMON;\??\c:\documents and settings\user\my documents\computer tools\portmsys.sys --> c:\documents and settings\user\my documents\computer tools\PORTMSYS.SYS [?]

=============== Created Last 30 ================

2010-11-08 11:27:37 -------- d-----w- c:\program files\Firaxis Games
2010-11-08 09:56:21 2286080 ----a-w- c:\windows\system32\TUKernel.exe
2010-11-08 09:10:25 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2010-11-08 09:10:22 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2010-11-08 09:10:05 -------- d-----w- c:\docume~1\user\applic~1\TuneUp Software
2010-11-08 09:09:52 -------- d-----w- c:\program files\TuneUp Utilities 2011
2010-11-08 09:09:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-11-08 09:09:32 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2010-11-08 07:26:20 -------- d-----w- c:\program files\Sun
2010-11-08 07:26:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-08 07:08:23 -------- d-----w- c:\docume~1\user\applic~1\CheckPoint
2010-11-08 07:03:14 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Conduit
2010-11-08 07:03:13 -------- d-----w- c:\program files\Conduit
2010-11-08 07:03:11 -------- d-----w- c:\docume~1\user\locals~1\applic~1\ZoneAlarm_Security
2010-11-08 07:03:09 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-11-08 07:02:53 -------- d-----w- c:\program files\CheckPoint
2010-11-08 07:02:42 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-11-08 07:02:42 -------- d-----w- c:\windows\system32\ZoneLabs
2010-11-08 07:02:40 -------- d-----w- c:\program files\Zone Labs
2010-11-08 07:01:39 -------- d-----w- c:\windows\Internet Logs
2010-11-08 06:13:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-08 06:13:00 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-08 05:40:32 -------- d-----w- c:\docume~1\user\locals~1\applic~1\2DBoy
2010-11-08 05:40:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\2DBoy
2010-11-06 11:01:39 -------- d-----w- c:\docume~1\user\applic~1\Artifact Quest
2010-11-05 08:26:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Playrix Entertainment
2010-11-04 23:42:36 194871 ----a-w- c:\windows\Fishdom Seasons Under the Sea Uninstaller.exe
2010-11-04 23:41:03 -------- d-----w- c:\program files\Fishdom Seasons Under the Sea
2010-11-04 23:34:46 159997 ----a-w- c:\windows\Artifact Quest Uninstaller.exe
2010-11-04 23:34:41 -------- d-----w- c:\program files\Artifact Quest
2010-10-29 22:54:12 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Help
2010-10-26 03:16:52 38848 ----a-w- c:\windows\avastSS.scr
2010-10-26 03:16:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-10-23 00:39:48 -------- d-----w- c:\program files\Trend Micro
2010-10-14 22:38:27 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-14 22:33:33 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Sunbelt Software

==================== Find3M ====================

2010-10-08 21:18:42 161293 ----a-w- c:\windows\Heroes of Kalevala Uninstaller.exe
2010-10-08 21:16:58 160620 ----a-w- c:\windows\The Lost Kingdom Prophecy Uninstaller.exe
2008-03-09 06:25:10 236 ----a-w- c:\program files\common files\dx.reg

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: STM3500418AS rev.CC37 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys >>UNKNOWN [0x86269EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x84a82872; SUB DWORD [EBP-0x4], 0x84a8212e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 TUKERNEL!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86348AB8]
3 CLASSPNP[0xF764DFD7] -> TUKERNEL!IofCallDriver[0x804E13B9] -> [0x86338288]
[0x86327D20] -> IRP_MJ_CREATE -> 0x86269EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskSTM3500418AS____________________________CC37____#5&2a36c317&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86269AEA
user & kernel MBR OK
sectors 976773166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 9:02:09.01 ===============

I also have a GMER log if you need that aswell
Thanks again Boomer.

Attached Files

  • Attached File  DDS.txt   14.85KB   0 downloads


BC AdBot (Login to Remove)

 


#2 Boomer671

Boomer671
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 15 November 2010 - 07:47 AM

Hello, Could you close this topic please i have cleaned the infection my self by reformatting and reinstalling windows
Thank you

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 15 November 2010 - 04:00 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users