Jump to content

Google Searches with Firefox redirect to spam sites


Recommended Posts

Hey guys,

I believe I have malware that causes my Firefox searches to redirect to spam some sites. Some info:

-When I click on a result, sometimes I'm redirected to a site called searchfindsite.com and other times I get a blank page.

-When I right click anywhere on the page, I get another blank page.

-This only occurs on Firefox. I've testing using Chrome and IE 8 and haven't had the same issue.

-This also has seemed to affect other processes on my computer. It's caused other programs to stall to the point where I've had to power down or reset the computer.

-I'm running Windows XP, Service Pack 3.

I first tried to fix this myself. Here are a few of the things I've done.

-Downloaded several malware programs: Malwarebytes Anti-Malware, HiJack This, Spybot Search & Destroy, Lavasoft AdAware, and Windows Defender. Ran full scans for each. Got only tracking cookies except for Anti-Malware showed something called "Worm.Autorun.B", which I fixed.

-Tried disabling then removing all Firefox extensions.

-Tried uninstalling Firefox, deleting all associated files, and clearing all associated registry keys.

-Run complete scans and boot time scans with Avast Anti-Virus. This discovered a Trojan that I believe is unrelated. It was removed and no longer shows up.

After all of this it's still happening. Anybody have any ideas?

Any help would be greatly appreciated. I'll include a little more information in a reply below.

------------------

------------------ Logs

------------------

NOTE: The GMER Rootkit Scanner did not complete. However, the log provided is content I saved during the scan. DDS.txt is included inline below:

DDS (Ver_09-12-01.01) - NTFSx86

Run by chris at 18:00:59.00 on Sun 12/20/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1446 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 091220-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINNDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINNDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNDOWS\Explorer.EXE

C:\WINNDOWS\RTHDCPL.EXE

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINNDOWS\system32\RUNDLL32.EXE

C:\WINNDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

svchost.exe

C:\WINNDOWS\ATKKBService.exe

C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe

C:\WINNDOWS\system32\nvsvc32.exe

C:\WINNDOWS\system32\HPZipm12.exe

C:\WINNDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Documents and Settings\chris.CHRISDESK\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINNDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\chris.CHRISDESK\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINNDOWS\system32\wscntfy.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINNDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\chris.CHRISDESK\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\chris.CHRISDESK\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\chris.CHRISDESK\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\chris.CHRISDESK\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\chris.CHRISDESK\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [unlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\winndows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\winndows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winndows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris~1.chr\applic~1\mozilla\firefox\profiles\ejwuw39f.default\

FF - plugin: c:\documents and settings\chris.chrisdesk\application data\move networks\plugins\npqmp071503000010.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\winndows\system32\drivers\aswSP.sys [2009-12-19 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]

R2 aswFsBlk;aswFsBlk;c:\winndows\system32\drivers\aswFsBlk.sys [2009-12-19 20560]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-19 138680]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-19 254040]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-19 352920]

R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\winndows\system32\drivers\RTL8187.sys [2009-7-10 176128]

S3 Asushwio;Asushwio;c:\winndows\system32\drivers\ASUSHWIO.SYS [2009-7-10 5824]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]

S3 SjyPkt;SjyPkt;c:\winndows\system32\drivers\SjyPkt.sys [2009-7-10 13532]

=============== Created Last 30 ================

2009-12-20 22:45:28 0 ----a-w- c:\documents and settings\chris.chrisdesk\settings.dat

2009-12-20 07:30:10 178 ----a-w- c:\winndows\system32\aswBoot.exe.sum

2009-12-19 16:57:40 56816 ----a-w- c:\winndows\system32\drivers\avgntflt.sys

2009-12-19 16:47:25 92747 ----a-w- C:\MGlogs.zip

2009-12-19 16:47:19 0 d-----w- C:\MGtools

2009-12-19 16:36:28 0 d-----w- c:\docume~1\chris~1.chr\applic~1\AVG8

2009-12-19 16:32:29 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com

2009-12-19 16:32:20 0 d-----w- c:\program files\SUPERAntiSpyware

2009-12-19 16:32:20 0 d-----w- c:\docume~1\chris~1.chr\applic~1\SUPERAntiSpyware.com

2009-12-19 16:32:02 0 d-----w- c:\program files\common files\Wise Installation Wizard

2009-12-19 16:31:51 2386045 ----a-w- C:\MGtools.exe

2009-12-19 16:23:19 0 d-----w- c:\program files\CCleaner

2009-12-19 03:18:04 0 dc----w- c:\docume~1\alluse~1.win\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

2009-12-19 03:17:41 0 d-----w- c:\program files\Lavasoft

2009-12-18 23:20:29 0 d-----w- c:\docume~1\chris~1.chr\applic~1\Malwarebytes

2009-12-18 23:20:25 38224 ----a-w- c:\winndows\system32\drivers\mbamswissarmy.sys

2009-12-18 23:20:24 19160 ----a-w- c:\winndows\system32\drivers\mbam.sys

2009-12-18 23:20:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-18 23:20:24 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2009-12-18 23:14:18 98816 ----a-w- c:\winndows\sed.exe

2009-12-18 23:14:18 77312 ----a-w- c:\winndows\MBR.exe

2009-12-18 23:14:18 261632 ----a-w- c:\winndows\PEV.exe

2009-12-18 23:14:18 161792 ----a-w- c:\winndows\SWREG.exe

2009-12-18 23:14:14 0 d-s---w- C:\KittyFix

2009-12-18 15:55:29 195456 ------w- c:\winndows\system32\MpSigStub.exe

2009-12-18 15:54:07 0 d-----w- c:\program files\Spybot - Search & Destroy

2009-12-18 15:54:07 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy

2009-12-15 20:31:19 0 d-----w- c:\docume~1\alluse~1.win\applic~1\TomTom

2009-12-15 20:30:50 0 d-----w- c:\docume~1\chris~1.chr\applic~1\TomTom

2009-12-15 20:27:22 0 d-----w- c:\program files\TomTom DesktopSuite

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\winndows\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\winndows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\winndows\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\winndows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\winndows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\winndows\system32\raschap.dll

2009-10-11 09:17:27 411368 ----a-w- c:\winndows\system32\deploytk.dll

============= FINISH: 18:01:24.62 ===============

ark.txt

mbam_log_2009_12_19__12_14_00_.txt

Attach.txt

Link to post
Share on other sites

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.