Jump to content

Recommended Posts

Recently I've been having problems with a Google redirect virus. As with others, it's an occasional but frequent (around 1/3 to 1/2 of the time) redirect to a different site than the one I clicked on. Thus far however, the suggested solutions that I've read haven't worked. Recently Firefox upgraded its version and thus my Adblock was disabled; I'm not sure if this was the cause (or was just blocking the symptoms).

Thus far, I've tried:

* Using Malwarebytes' Anti-Malware (Quick Scan): Nothing detected.

* Using TDSSKiller.exe: it says it doesn't detect any infections.

* Going through My Computer's Device Manager, show hidden devices, but none of the entries matched a known malware list.

* Using Spybot - Search & Destroy: It didn't detect anything.

* Checking router: DNS in the router is my provider's (Suddenlink's) DNS address. Tried resetting the router, but the redirect still occurs.

* Checking my TCP/IP settings: Set to get DNS automatically.

* Checking hosts file: Nothing out of the ordinary.

I've also since installed Noscript on Firefox, but the redirect still occurs. I can post the noscript whitelist if it will help, however, nothing unusual has been whitelisted. Google.com is permitted in Noscript's whitelist.

I've packet sniffed the connection and it looks like the virus will connect to 213.23.3.144 and 213.23.3.146, which resolves to customer.worldstream.nl; I tried sticking this URL as 127.0.0.1 in my hosts file but it will still connect to those IP addresses. It also tried connecting to dc2w.3vg58t1.com (though I'm not sure if it's just the initial IP telling it to connect here) but editing that URL out with the hosts file seems to prevent that connection. In TCPView, it shows Firefox making a connection to the above IP when I start typing something into Google's search bar, when it switches to updating with results in real time. I think the redirect doesn't ocur when I had scripts off period, thus disallowing Google's real-time updating with results, but haven't tested that thoroughly (only tried a few times with no redirects).

I don't know how to get the computer to simply ban connections to those IP addresses, although that only removes the symptoms and not the actual virus. From above, it seems like removing Firefox scripts completely seems to work, but the redirect will occur if it's just using Noscript (with google.com allowed). I don't know if I should try disallowing google.com from Noscript.

The Anti-Malware log is below:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3993

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

5/28/2011 12:26:55 PM

mbam-log-2011-05-28 (12-26-55).txt

Scan type: Quick scan

Objects scanned: 117262

Time elapsed: 19 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I will be reading through the walkthrough for infections here so let me know if there are any steps there that I should pay particularly close attention to. Thanks.

Link to post
Share on other sites

Hello and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

I disconnected the internet and disabled my anti-virus (Sophos), and ran DDS.scr. Results are below.

If it wasn't obvious, the link at the end of my initial post should've been to http://forums.malwarebytes.org/index.php?showtopic=9573, the tutorial for doing some preliminary investigation :P . I've also tried running GMER twice now, however, both times it will give a BSOD after a few hours saying "The IO manager has detected a violation by a driver that is being verified." with the stop code as C9 (5, 85F3E688,0,2). On the second time though before it got to that point, I saved what it had found so far in ark.txt, so the format may be different than usual and/or incomplete. Both attach.txt from DDS and ark.txt from GMER are in the attached zip file. Thanks for your help!

DDS Log:

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_16

Run by Chuck at 13:56:14 on 2011-05-29

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2013.1499 [GMT -7:00]

.

AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

FW: ZoneAlarm Extreme Security Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\WINDOWS\system32\TpShocks.exe

C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe

C:\PROGRA~1\Lenovo\LENOVO~2\LPMLCHK.exe

C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe

C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Sophos\AutoUpdate\almon.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Chuck\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uDefault_Page_URL = hxxp://lenovo.live.com

mDefault_Page_URL = hxxp://lenovo.live.com

mStart Page = hxxp://lenovo.live.com

uInternet Connection Wizard,ShellNext = iexplore

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File

BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_16\bin\ssv.dll

BHO: ForceField Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: ForceField Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TClockEx] c:\program files\tclockex\TCLOCKEX.EXE

uRun: [systemCommon3xx] rundll32.exe "c:\documents and settings\chuck\local settings\application data\libcfgplay\SystemCommon3xx.dll",SystemMapMgmt dbcrtdrm

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r

mRun: [TpShocks] TpShocks.exe

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\LVOSDSVC.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup

mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe

mRun: [LPMailChecker] c:\progra~1\lenovo\lenovo~2\LPMLCHK.exe

mRun: [LCONTROL] "c:\program files\lenovo\atk hotkey\LCONTROL.exe"

mRun: [LFKA] "c:\program files\lenovo\atk hotkey\LFKA.exe"

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot

dRunOnce: [ZAFFRegisterTrustChecker] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustChecker.dll"

dRunOnce: [ZAFFRegisterTrustCheckerIE] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll"

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_16\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\documents and settings\all users\application data\sophos web intelligence\swi_lsp.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Notify: igfxcui - igfxdev.dll

Notify: psfus - c:\windows\system32\psqlpwd.dll

Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll

Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll

AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

LSA: Notification Packages = scecli psqlpwd ACGina

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\chuck\application data\mozilla\firefox\profiles\spnuu59l.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll

FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv85win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv86win32.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

.

============= SERVICES / DRIVERS ===============

.

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-7-10 15448]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-8-25 150544]

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-10-2 153728]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-10-2 24192]

R1 SKMScan;SKMScan;c:\windows\system32\drivers\skmscan.sys [2011-5-23 31736]

R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-25 353672]

R2 ISWKL;ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-2-12 21136]

R2 IswSvc;ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-2-12 394632]

R2 LFKAS;Service of LFKA;c:\program files\lenovo\atk hotkey\LFKAS.exe [2008-9-8 208896]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2008-6-20 11360]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2008-9-8 94208]

R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-5-23 167960]

R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2011-5-23 99864]

R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2008-6-24 12560]

R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2011-5-23 232472]

R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2011-5-23 1543192]

R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 253952]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-8 108032]

S3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-2-12 54928]

S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2008-6-13 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2008-6-13 11904]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2008-6-13 11896]

S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2008-6-20 11384]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2008-6-20 11360]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2011-3-22 24312]

S3 SessionLauncher;SessionLauncher;c:\docume~1\admini~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\admini~1\locals~1\temp\dx9\SessionLauncher.exe [?]

S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\realtemp\WinRing0.sys [2010-10-18 14416]

S4 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\ivi foundation\visa\winnt\nivisa\niLxiDiscovery.exe [2008-6-20 129144]

S4 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\national instruments\shared\mdns responder\nimdnsResponder.exe [2008-6-18 192112]

S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-2 14976]

S4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-14 520192]

.

=============== Created Last 30 ================

.

2011-05-28 21:54:29 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-05-28 21:54:29 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-05-28 21:00:07 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2011-05-28 21:00:07 75264 ----a-w- c:\windows\system32\unacev2.dll

2011-05-28 21:00:07 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2011-05-28 21:00:07 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2011-05-28 21:00:07 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2011-05-28 21:00:05 -------- d-----w- c:\program files\Trojan Remover

2011-05-28 21:00:05 -------- d-----w- c:\documents and settings\chuck\application data\Simply Super Software

2011-05-28 21:00:05 -------- d-----w- c:\documents and settings\all users\application data\Simply Super Software

2011-05-23 14:30:07 31736 ----a-w- c:\windows\system32\drivers\skmscan.sys

2011-05-06 23:39:55 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-05-06 23:39:55 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-05-06 23:39:55 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-05-06 23:39:55 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-05-06 23:39:55 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-05-06 23:39:53 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-05-06 23:39:53 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-05-06 23:39:52 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

.

==================== Find3M ====================

.

2011-05-23 14:31:44 153728 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys

2011-05-23 14:31:09 24192 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys

2011-05-23 14:31:03 30744 ----a-w- c:\windows\system32\SophosBootTasks.exe

2011-05-23 14:30:27 24312 ----a-w- c:\windows\system32\drivers\sdcfilter.sys

2011-05-23 14:29:42 131824 ----a-w- c:\windows\system32\sdccoinstaller.dll

2008-10-01 02:50:50 7508608 ------w- c:\program files\Firefox Setup 3.0.3.exe

2008-10-01 02:07:44 267056 ------w- c:\program files\utorrent.exe

2008-10-01 01:59:59 9064104 ------w- c:\program files\trillian-v3.1.10.0.exe

.

============= FINISH: 14:02:01.03 ===============

Attach.zip

Link to post
Share on other sites

Hello again,

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Done. The text file is attached. Combofix installed the recovery console (I didn't have it beforehand). The first time Combofix ran, it eventually got stuck at "Rebooting Windows...Please Wait" with no further messages for around 10 minutes, so I manually powered off the laptop. On powering it back on, there was no C:\ComboFix.txt, so I reran it, only to see that the rest of the messages were to not manually reboot. On both times, it said C:\WINDOWS\system32\userinit.exe was infected, which implies that restoring this file was not successful (or not attempted). The first time, it also deleted C:\documents and settings\Chuck\Local Settings\Application Data\LibcfgPlay\SystemCommon3xx.dll; I don't know what that file is for, but it showed up earlier in DDS.txt as a uRun under the pseudo HJT report.

As a side note, I opened up TCPView after the second run and found that Firefox is no longer trying to communicate with those IP addresses, and I haven't had redirect issues so far now. I don't know if it's due to ComboFix (for example, by deleting the .dll file above) or due to other actions I had taken (for example, Spybot Search & Destroy had immunized the system when I installed it earlier -- although I *think* I was still getting redirects after the immunization, but not sure now) in the past few days; I didn't think to check again until just now. Thanks for your help!

ComboFix.txt

Link to post
Share on other sites

Hi again,

That looks already a lot better!

P2P WARNING

-------------------

Going over your logs I noticed that you have uTorrent installed.

  • [*] Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

[*]They are a security risk which can make your computer susceptible to a sm

Link to post
Share on other sites

I've removed uTorrent, updated Adobe Reader, and updated Java. The MBAM scan is below.

TCPView hasn't been showing any connection attempts to the previous IP addresses even with Noscript off completely (i.e. allow scripts globally). However, I'm not sure if the virus is actually removed from the system, i.e. thus far I don't know if there was a "smoking gun" file that was found to be the cause, or what action prevented the virus from working. At least I haven't seen the IP address on TCPView and haven't had Google redirects, though.

The Anti-Malware log is below:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6705

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

6/1/2011 6:09:49 PM

mbam-log-2011-06-01 (18-09-49).txt

Scan type: Quick scan

Objects scanned: 167418

Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Things are looking good, no more active malware there.

UPDATE XP

--------------

Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.

Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.