[HighwayBobbery]

Running windows XP.

I initially had antivirus system pro virus, but killed it. Now i am having several hijack issues.
1) on opening chrome i get three blank pages and:

file:///C:/Documents%20and%20Settings/Alexander/Local%20Settings/Application%20Data/Google/Chrome/Application/3.0.195.33/

opened automatically

2) search results appear to link to valid sites but take me elsewhere, usually a related search in an obscure 'search engine' or a blatant pay per click.

3) sometimes just typing in the google search box on toolbar or in the page will cause tabs to open.

4) firefox opens a bunch of tabs with really weird urls that look like binary data when you view in a text editor (weird characters etc.)

Was using avg free now using avast. they find something sometimes other times nothing. Here is my DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Alexander at 14:14:12.46 on Fri 12/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1692 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 091204-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\webservices\apache\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\webservices\apache\bin\httpd.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Documents and Settings\Alexander\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Documents and Settings\Alexander\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: SrchHook Class: {d3f669eb-57ce-4f45-8fbd-e245cbb46366} - c:\program files\stopzilla!\toolbar\SZIESearchHook.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\alexander\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [<NO NAME>]
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alexan~1\startm~1\programs\startup\hijack~1.lnk - c:\program files\trend micro\hijackthis\HijackThis.exe
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {75C68C07-367F-4A16-9A55-7C8BD12321A9} = 208.67.222.222,208.67.220.220
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alexan~1\applic~1\mozilla\firefox\profiles\ev6u3nyu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?client=firefox-a&channel=s&hl=en&btnG=Google+Search&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - plugin: c:\documents and settings\alexander\application data\mozilla\plugins\npo3dautoplugin.dll
FF - plugin: c:\documents and settings\alexander\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\lively\nplively.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyrMus.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2009-2-18 16384]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-2 114768]
R2 Apache2.2;Apache2.2;c:\webservices\apache\bin\httpd.exe [2008-6-13 24635]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-2 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-2 138680]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-2-18 16400]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-10-29 583640]
S2 gupdate1c9234bc77ca988;Google Update Service (gupdate1c9234bc77ca988);c:\program files\google\update\GoogleUpdate.exe [2008-9-30 133104]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-2 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-2 352920]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2009-2-18 97808]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [2009-2-18 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2009-2-18 21904]
S3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [2008-6-26 120960]

=============== Created Last 30 ================

2009-12-04 05:37:40 0 d-----w- c:\docume~1\alexan~1\applic~1\Malwarebytes
2009-12-04 05:37:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 05:37:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-04 01:33:12 1120 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-12-04 01:29:20 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2009-12-04 01:28:50 0 d-----w- c:\program files\STOPzilla!
2009-12-04 01:28:50 0 d-----w- c:\program files\common files\iS3
2009-12-04 01:28:49 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-12-02 15:49:06 0 d-----w- c:\program files\Trend Micro
2009-12-02 03:29:06 0 d--h--w- C:\$AVG
2009-12-02 03:28:39 0 d-----w- c:\program files\AVG
2009-12-02 03:28:37 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-28 21:37:54 14 ----a-w- c:\windows\entpack.ini
2009-11-23 01:16:01 0 d-----w- c:\program files\2K Games
2009-11-21 20:56:53 0 d-----w- c:\program files\Cogs
2009-11-20 21:26:33 0 d-----w- c:\program files\common files\Control Panels
2009-11-20 21:25:00 0 d-----w- c:\docume~1\alluse~1\applic~1\ALM
2009-11-20 20:17:32 2463976 ----a-w- c:\windows\system32\NPSWF32.dll
2009-11-20 20:17:32 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-11-20 20:09:02 0 d-----w- c:\program files\common files\Macrovision Shared
2009-11-17 20:59:18 0 d-----w- c:\docume~1\alexan~1\applic~1\LucasArts
2009-11-17 20:55:15 0 d-----w- c:\program files\LucasArts
2009-11-16 01:17:17 0 d-----w- c:\program files\Telltale Games
2009-11-13 02:44:13 0 d--h--w- c:\program files\Zero G Registry
2009-11-13 02:43:17 0 d--h--w- c:\documents and settings\alexander\InstallAnywhere
2009-11-10 20:17:20 0 d-----w- c:\docume~1\alexan~1\applic~1\OpenOffice.org
2009-11-10 16:09:03 0 d-----w- c:\program files\JRE
2009-11-10 16:09:00 0 d-----w- c:\program files\OpenOffice.org 3

==================== Find3M ====================

2009-12-02 21:33:09 40460 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 14:15:20.12 ===============

 

[Glaswegian]

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.




Combofix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please read all the information carefully!

You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

Please include the log C:\ComboFix.txt in your next reply for further review.

 

[HighwayBobbery]

OOh that was fun! lets do some more!! Log is attatched. Thanks for your help!

 

[Glaswegian]

Hi again

You need to get out more…


How is your system running now?


Online Scan
Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

Note that Panda may take several hours to scan your system.

 

[HighwayBobbery]

Doing the panda now, system still pretty borked, getting the blank popups and opens a system folder for google. happens kind of randomly.

 

[HighwayBobbery]

to be more precise firefox opens several windows with urls like:
wxw.xn--lmxif234-tka37cjdzptak5548jga78f.com. (replaced www to wxw)

also opens file:///C:/Documents%20and%20Settings/Alexander/

and http://wxw.µƒšÖÎ×®4ñ9ÚÓ6„3Âdëc�îx´èïxf¹Övmae®aꧧò6!)Ùe�Ãý…%1c‹Åðâ^d’%.com/?%D1)%03c%87%B0v%AD%60%80%AA%C6%FESFCy+%8C%E9%B8%9Dn%86%97%DE%9D%D7%12%12%17V%86%CF%E9%D4%A2SP(%A9%9E%FB#4=%C2%AE%C3%8C/%C3%BD%C3%A5%C3%93%C6%92%C5%BD%C3%BA%C3%BD%20%C3%9EG4F%06%C3%AA%03mD%1D%C3%A3%C2%B9T%0B%C3%AFe%C3%86%C3%948%C3%BD%C2%BF%C3%AEKq\%C3%A1%C3%9E%17%E2%80%A6%C3%92O%02Q%C3%9D%C3%A4%C3%A8%E2%80%A2%C3%BA:%C2%A9wD%C3%89;%C3%A4%C2%B7%C6%92h%C2%B3W%C3%BE%15%C3%B0%C3%86%C3%B5W%27%0Fg%C3%99Pm1%C2%A8%j%C2%A9%20%C3%AC%C2%BE%C2%B37%04%C2%BF%C5%BDt;k%C3%9A%C3%A4%C3%AFy7%E2%80%93%1F%C3%86%C2%AF%C2%A5%7F%10%C3%9B%15%12%C3%B9%C3%804:5D%C2%90%C3%9D%C2%AA%18!%E2%80%A0%C3%AD%19%C3%B5mc%C2%8F%C2%BD2%C2%A3%C2%AD%C3%99%02:%C3%BC%E2%80%9A%C3%8B8%C3%8F%E2%80%A6%C2%AD%C3%BD%C2%AD%C3%97l%C2%B5%E2%80%93%C2%9D0/%C3%BE:%C3%BC%C3%98%E2%80%BA%C2%B8%0BO%C3%96%E2%80%9EQ%C5%92%C3%A4%C5%93X%C2%A2%C3%9A%C5%B8%C3%BB%C2%A7X-%C2%BD

Someone wants in or out BAD. Is this registry data or somethign? Panda sends his regards will finish asap.

 

[HighwayBobbery]

Wow panda does not F around! 16 hours later..

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-12-07 10:58:32
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1368 [VPS 091206-0] 4.8.1368 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No c:\mass\archive\old user folders\alex\cookies\[email protected][1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\mass\archive\old user folders\alex\cookies\[email protected][2].txt
00167690 Cookie/Rightmedia TrackingCookie No 0 Yes No c:\mass\archive\old user folders\alex\cookies\[email protected][1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\mass\archive\old user folders\alex\cookies\[email protected][1].txt
00169288 Cookie/Gorillanation TrackingCookie No 0 Yes No c:\mass\archive\old user folders\alex\cookies\[email protected][1].txt
03587590 Adware/Yassist Adware No 0 No No c:\documents and settings\alexander\my documents\my downloads\startup downloads\divxinstaller.exe[²çç\y_toolbar.exe][²èç]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================


It also killed a rootkit, but that didn't show in the log. Still getting popups esp. htxxp://www.local-news-online.com/?t202id=4264&t202kw=

Thanks again!

 

[HighwayBobbery]

just searched for yassist and got redirected from google results

 

[HighwayBobbery]

Fascinating, just refreshed this page and got this as a new tab popup:

hxxp://wxw.pcsecurityshield.com/lp/shield-deluxe-27.aspx?trk=WTK&affid=541

 

[Glaswegian]

Hi again

We’ll use combofix again.

Combofix

• Close any open browsers.
  
• Open notepad and copy/paste the text in the box below into it:

Mbr::

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review.

 

[HighwayBobbery]

done with the combofix, it prompted me to update combofix hope it ran the right test after that. Log attatched. BTW it found another rootkit. Still getting popups but hey this is fun! right?

 

[Glaswegian]

Hi again

Go here to install the MVPS Hosts file. It replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.


Clear your Firefox cache.

In Firefox, go to Tools > Options > Privacy and click the Clear Now button.


Clear out your Internet Explorer cache.

In IE click Tools > Internet Options > General Tab.

In the Temporary Internet Files section, click the Delete Files button. This will delete all the files that are currently stored in your cache.



Download RootRepeal.zip to your Desktop and extract the compressed file to it's own folder.

Open the folder and doubleclick on RootRepeal.exe to run it.

• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:

• Drivers
  Files
  Processes
  SSDT
  Stealth Objects
  Hidden Services
  Shadow SSDT

• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.
• The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report. Save it to your desktop so you may find it easily.

Please attach the report in your next reply.

 

[HighwayBobbery]

Stupid windows Somewhere in the middle of the overnight run of rootrepeal my system decided it was time to do a windows update and restart. I assume that rootrepeal did not finish, and it had at the point i went to bed, found something. I will run the program again tonight and post again tomorrow. Thanks for your help! BTW I added

127.0.0.1 www.local-news-online.com

to my hosts file, is a popup that was still coming through on firefox start. Don't know if this points the finger to any particular virus?

 

[Glaswegian]

Hi

That seems to be a legit site - at least I can reach it no problem and I'm running the same Hosts file.

RootRepeal is just a scanner - it won't actually remove anything so running it again is fine.