Jump to content

Recommended Posts

Good evening, Malwarebytes staffers. I wish I didn't have to be here, but the Internet can be a scary place at times.

Recently (a little less than a week ago), I visited a forum that I occasionally frequent and soon discovered that its server had been compromised and my computer had downloaded something of the "not good" variety. (I had forgotten to take my COMODO firewall/antivirus out of game mode - last time I make that mistake while I have an active internet connection.) After running Spybot S&D, I discovered and dealt with files related to the Virtumonde.prx version of the Vundo trojan. After that, I believed I had my problems solved.

Unfortunately, I discovered a day or two ago that clicking on Google search result links occasionally redirect me elsewhere. After finding this site with other people having similar problems, I've decided to seek your assistance in getting this sucker dealt with permanently.

For the record:

- First, I do use a router, and resetting it/flushing the DNS cache proved not to be useful, though it seems that the redirects happen less frequently now. (I'm wired into it and not using wireless; another wireless user using the router has not reported anything unusual.)

- Second, at the time I was infected, I had a bunch of outdated Java 6 versions existing on my computer (which have since been uninstalled), and what tipped me off to the infection was a couple seconds of hard drive activity followed by a Java tray icon with a strange popup message that I can't recall the contents of right now.

- Third, the forum page in question was forum.ffshrine.org, which I had been able to visit in the past without any problems. However, a sister site of theirs (gh.ffshrine.org) had been briefly listed as an attack site a couple years ago, though I doubt the two events were related that much. I haven't been back there yet to see if it was ever recently flagged as an attack site, obviously for my own safety.

Of note about these logs:

- I'm pretty sure all that was found by MBAM were false positives, and I proceeded to restore all of them. However, I noticed that I have a notepad.exe executable in both c:\windows\ and c:\windows\system32\. My notepad shortcuts all lead to the \system32\ one, which was the one that MBAM flagged as infected. Is this normal, or is one of them not supposed to exist?

- Something I saw in the DDS log was the Hosts line, with a www.spywareinfo.com next to the normal host IP. I'm pretty sure this is bad news, and may be a starting point to tracking something down.

- GMER took absolutely forever to run, and after it finally finished, I noticed that the memory usage of most of my running processes had ballooned by roughly 30 M each. Is this expected behavior, or the result of whatever this is fighting back? Also, my computer briefly BSOD'd while running through the shutdown process (to reboot after running GMER), but started back up as normal with the exception of a "Windows has recovered from a serious error" message after I had logged in.

---MBAM Log---

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6689

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/26/2011 7:04:52 PM

mbam-log-2011-05-26 (19-04-52).txt

Scan type: Quick scan

Objects scanned: 162886

Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\notepad.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\calc.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

---End MBAM Log---

---DDS Log---

DDS (Ver_2011-05-26.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Run by PhoenixAvenger at 22:36:11 on 2011-05-26

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1417 [GMT -7:00]

.

AV: COMODO Antivirus *Enabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

FW: COMODO Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com

uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Conime] %windir%\system32\conime.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

AppInit_DLLs: WIKI.DLL c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\phoenixavenger\application data\mozilla\firefox\profiles\uropmgog.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\phoenixavenger\application data\mozilla\firefox\profiles\uropmgog.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Ext: Download Manager Tweak: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB} - %profile%\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}

FF - Ext: Extended Statusbar: {daf44bf7-a45e-4450-979c-91cf07434c3d} - %profile%\extensions\{daf44bf7-a45e-4450-979c-91cf07434c3d}

FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}

FF - Ext: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - %profile%\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}

FF - Ext: Forecastbar Enhanced: {3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8} - %profile%\extensions\{3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8}

FF - Ext: Mostly Crystal: {0a3a9250-be64-11dc-95ff-0800200c9a66} - %profile%\extensions\{0a3a9250-be64-11dc-95ff-0800200c9a66}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: XULRunner: {EFB6E68B-33D0-4BE6-A9EF-0222713FCAD0} - c:\documents and settings\phoenixavenger\local settings\application data\{EFB6E68B-33D0-4BE6-A9EF-0222713FCAD0}

.

============= SERVICES / DRIVERS ===============

.

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-6-1 15592]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 239368]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 27576]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1803224]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-3-9 366000]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2011-4-30 19720]

R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2007-5-28 19968]

S1 aswSP;avast! Self Protection; [x]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswfsblk.sys --> c:\windows\system32\drivers\aswFsBlk.sys [?]

S3 gel90xne;gel90xne;\??\c:\docume~1\phoeni~1\locals~1\temp\gel90xne.sys --> c:\docume~1\phoeni~1\locals~1\temp\gel90xne.sys [?]

S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2011-4-30 14856]

S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2007-4-24 56576]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

S4 MIMO XR TM PCI WLService;MIMO XR TM PCI Adapter WLService;c:\program files\airlink101\awlh5026\WLService.exe [2007-5-28 49152]

.

=============== Created Last 30 ================

.

2011-05-27 01:45:13 -------- d-----w- c:\documents and settings\phoenixavenger\application data\Malwarebytes

2011-05-27 01:45:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-27 01:45:06 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-27 01:45:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-27 01:45:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-22 07:45:51 -------- d-----w- c:\documents and settings\phoenixavenger\local settings\application data\{EFB6E68B-33D0-4BE6-A9EF-0222713FCAD0}

2011-05-18 03:03:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-04-30 19:56:18 14856 ----a-w- c:\windows\system32\drivers\LGVirHid.sys

2011-04-30 19:56:16 19720 ----a-w- c:\windows\system32\drivers\LGBusEnum.sys

.

==================== Find3M ====================

.

2011-04-14 12:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-14 09:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 19:44:14 59888 ------w- c:\windows\system32\pxwma.dll

2011-03-04 19:44:14 133616 ------w- c:\windows\system32\pxafs.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 14:49:02 131072 ----a-w- c:\windows\system32\EKIJCOINST12.dll

2011-03-03 14:45:06 196608 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll

2011-03-03 14:45:02 425984 ----a-w- c:\windows\system32\EKIJ5000MON.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 22:39:41.09 ===============

---End DDS Log---

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log. Quarantine everything found.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Okay, well, I'm pretty sure something went wrong with ComboFix. Despite the fact that I had Comodo's Firewall, Antivirus, and Defense+ set to "Disabled", it still threw a hissy fit when I ran it and NircmdB.exe was a casualty of that interference somehow even after I added everything to Exclusions/hit the Game Mode switch on Comodo. An error prompt indicating Windows couldn't find NIRKMD kept popping up through most of the ComboFix scan, and I wasn't given a chance to install the XP Recovery Console. As a result, this log probably won't mean much at the moment and I'll have to un/re-install ComboFix after your further instructions. (It also threw a hissy fit when it auto-scanned ComboFix.exe upon its download completion; I'm presuming this is expected behavior.)

Updated MBAM and it found nothing but the fact that my My Computer/My Documents links were missing from my Start menu, which I knew since I disabled that intentionally to prevent redundancy. Still, as per your instructions, I went ahead and quarantined those.

And as an addendum to my previous post: the post-GMER reboot BSOD was caused by some process or other not letting go of my registry during the shutdown. So it didn't probably mean anything.

logfiles.zip

Link to post
Share on other sites

  • Staff

Grab a fresh copy of ComboFix and put it on your Desktop; don't run it yet. Rename it to sega.com

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\sega.com" /killall

See if it will run successfully now.

Link to post
Share on other sites

Just wanted to post in here to let you know what my status was. I haven't forgotten about this, and thank you for all your help.

It appears ComboFix, even in its limited capacity, fixed the Google redirect issue by deleting that "Mozilla XULRunner" extension that somehow made its way into my Firefox install, as shown on the help threads of other users here. Not sure how that got on Firefox when I have it set to warn me when anything tries to install a new extension, but hopefully Mozilla knows of whatever exploit this was by now.

Also, it seems the reason why Comodo was interfering with ComboFix was that the cloud-based services associated with Defense+ were still running and warning about files even though I had Defense+ itself set to Disabled. Unchecking those two in Defense+'s settings would seem to fix that.

With that said, how do you recommend I proceed from here? In other words, is there anything specific that my previous logs indicate might still be an issue in my system that I should address? Or should I just run ESET's online scanner (as I ran a Comodo full scan, which turned up nothing that wasn't related to ComboFix) and call it a week?

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.