That moment of stupidity leads to hours of headaches. (virus?, browser redirect)

[ColbyWolf]

Blah! I ahd this all typed out then my PC locked up and I lost it, so forgive my shortness.

Running mostly-up-to-date windows XP pro.

Got a virus this morning in a fit of stupidity.

Or .. it may have been a trojan or something. I dunno. It popped up a command prompt-type window that was scrolling what looked like a series of spaces followed by a periodic _. ... for hwat that matters. I closed it.. found socks.exe running in my task manager. google told me it was A Bad Thing, so I started updating spybot and downloaded AVG... either of them really came up with anything though. A few cookies and a few "trojans" (that is, false positives.. but none of the files were important, so I went ahead and let each program delete/quarantine anything it found....

I did a little more digging and thoguth I was clean until I noticed that whenever I googled or yahooed in my webbrowser (Chrome) when I clicked on a result I had about a 75% chance of NOT going to the website in question and being send off to some random website (one of the 'domain expired' or 'slightly typoed' ones, where they try to get you to click on their links.)

I spoke to a friend and he had me download malwarebytes.. I booted into safe mode, and ran it... Again, I let it delete/quarentine the one file it found and didn't like even though, again I'm pretyt sure it was a false positive. Better safe. :)

Used CC cleaner... cleaned up everything...

uninstalled AVG, instaled Avira AntiVir... did another can.. again a more "false postiives" and one "suspicious"... Again, let the program issolate and quarentine and heal whatever it wanted.

Opened up browser.. and.. chrome was working okay.. but IE and firefox had the same 'redirect' issues on search results on both yahoo and google... I didn't try any other search engines. BUt, my bookmarks loaded up fine.

I booted into safe mode with networking and, again, the problem persisted.

I went hough my task manager and control panel and couldn't find anything really weird.

So.. I have no idea what's up.

I ran dds, and you'll notice the lofs attached. :)

I ran GMER too.. but my PC kinda locked up on me mid scan.... I tried again after a few hours to the same result: the program scans... but after a while it seems to get stuck on one file or folder or another nd jsut sits there. the first ime after about 15 minutes I thought 'well, maybe it's done?" and hit save. the program locked up fully at that point and any efforts to do anything else (save my notepad in which this is being typed, etc) resulted in more process failure and eventually having to hit the reset button.

After two lock ups, i'm a bit concerned, but maybe I'm just being impatient...

anyway, I'll post my DSS log at the bottom of this.. It and the included attach.txt are from before the two recent lock ups... and I've rerun the dss program since then, but I'll not post them due to the request to not post things unless requested. :)


Right now I'm thinking my problem is very simple.. or very very bad. :/

but outside of the browser redirect I'm not having any issues...

Here's my DSS... I'm off to sleep... sleep earlier got called off on account of PC. Oh, pardon typos - 3 hours of sleep in he last 48... and I"m gonna try to run GMER again while I sleep.





DDS (Ver_09-07-30.01) - NTFSx86
Run by Kitty at 17:33:30.73 on Fri 08/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2132 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kitty\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Kitty\Desktop\New Folder\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/options&s=5xhdD9g64spsMWGs2Z7PGD9btTQ
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=c:\program files\tgtsoft\stylexp\logon\CurrentLogon.EXE
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\kitty\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229193141796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kitty\applic~1\mozilla\firefox\profiles\6gngiafx.default\
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58819&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\kitty\application data\mozilla\firefox\profiles\6gngiafx.default\extensions\{916ab64c-bc3e-471b-8e60-29551922a7ba}\components\Engine.dll
FF - plugin: c:\documents and settings\kitty\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-14 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-14 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-14 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-14 55656]

=============== Created Last 30 ================

2009-08-14 14:13 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-14 14:13 <DIR> --d----- c:\program files\Avira
2009-08-14 14:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-14 13:17 <DIR> --d----- c:\windows\system32\appmgmt
2009-08-14 11:35 <DIR> --d----- c:\docume~1\kitty\applic~1\Malwarebytes
2009-08-14 11:34 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 11:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-14 11:34 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-14 07:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-08-14 07:49 <DIR> --d----- c:\program files\AVG
2009-08-14 07:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-14 07:19 642 a------- c:\windows\wininit.ini
2009-08-14 06:54 369 a------- c:\windows\msliveupdater.exe
2009-08-02 05:05 <DIR> --d----- C:\CrashReport

==================== Find3M ====================

2009-07-15 17:12 409,600 a------- c:\windows\system32\wrap_oal.dll
2009-07-15 17:12 114,688 a------- c:\windows\system32\OpenAL32.dll
2009-06-21 08:46 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-06-10 08:28 3,510,272 a------- c:\windows\system32\nvgames.dll
2009-06-10 08:28 4,022,272 a------- c:\windows\system32\nvdisps.dll
2009-06-10 08:28 13,758,464 a------- c:\windows\system32\nvcpl.dll
2009-06-10 08:28 168,004 a------- c:\windows\system32\nvsvc32.exe
2009-06-10 08:28 143,360 a------- c:\windows\system32\nvcolor.exe
2009-06-10 08:28 86,016 a------- c:\windows\system32\nvmctray.dll
2009-06-10 08:28 229,376 a------- c:\windows\system32\nvmccs.dll
2009-06-10 06:03 9,998,336 a------- c:\windows\system32\nvoglnt.dll
2009-06-10 06:03 5,908,608 a------- c:\windows\system32\nv4_disp.dll
2009-06-10 06:03 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,580,550 a------- c:\windows\system32\nvdata.bin
2009-06-10 06:03 1,310,720 a------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 815,104 a------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 671,744 a------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcodins.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll

============= FINISH: 17:35:09.37 ===============

(edited to attach file cuz i'm stupid)

[ColbyWolf]

It's a bit too early for a bump.. but I figured I'd update...

This morning's virus scan turnedu p empty as well...
but at about noonish, a "windows Antivirus pro' program popped up and started annoying me... needless to say, I googled fast, and figured out how to kill it and reupdated and ran malwarebytes..


56 results.. yeowza.


*repairs all of them, saves logfile*

Maybe I'd jsut be better off to reformat....

[ColbyWolf]

Well.

Nevermind. I'm a bit disappointed. I've waited nearly a week for help, and even gently bumped once. I don't want to spam the forum when no one wants to help me...

I'm not angry or anything, but a bit sad as I've pointed any number of people to this website over the years...

I think I've removed all traces of this.... beast from my computer. But, considering that it was a rootkit causing the troubles, I'm just going to go on ahead and reformat. I'm no expert and don't want to be doubting my PC because of my amature efforts. :)

For the record, in the unlikely event anyone else comes here with a similar sort of problem, I used:

Avira Antivir
Malwarebytes
CC Cleaner
Spybot D&D
Prevx (free version, installed, scanned and uninstalled, then the file manually rooted out and deleted)

I don't promise I'm clean in any way shape or form... but maybe these programs can help someone else.

if you're reading this... thanks for your time and wish me luck. I"ll be reinstalling windows in the next few days.

[Ried]

Hello ColbyWolf,

Sadly, there are many more seeking help cleaning their computers, than there are of us. Additionally, your early bump threw you out of queu.

Generally speaking, formatting is not a bad idea once a system has become this infected. If you haven't begun the process already, I'd like to see the current state of the system.

Run a new scan with dds.scr and gmer. Post the fresh logs.

[ColbyWolf]

As I said: I'm not really angry, just a bit sad. :) I'm not an incompetent user, so... I'm not lost sitting here wringging my hands together going 'oh goodness, what now??'

I'm sorry that the early bump was what caused my problems... but I wasn't quite sure what else to do, as there was a new symptom that had shown up and been taken care of. --perhaps the stickies ought to be edited to reflect some procedure for cases like this? I don't know if it'd be preferable to wait on bumping with more information, or if the best solution would be to edit your original post, but... it seems like something that should be shared with the people :)

however, as my reformatting is "schedueled" for a few days from now (I have a lot of data I need to transfer) I'll rerun the scans over the next few hours and post them then.

Also, on the topic of what information that would be nice to have in a sticky, it would be very nice to have a warning that the dds.scr will be regarded as suspicious by some programs... :D

[Ried]

I'll certainly take that into consideration and see how best to address that.

I'll be awaiting those logs. I think you may end up being surprised at what we might be able to do for you.