1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Redirect.ad-feeds.net causing popups, but the Hosts file didn't change or anything.

Discussion in 'Virus & Other Malware Removal' started by Kaljinyu, Mar 27, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    I kinda only just noticed this problem, but every now and then redirect.ad-feeds.net will pop up a new window, and send me to something like Bestofyoutube.mevio.com or something. This looked like a minor adware issue, so I went to check my Hosts file to see if there was anything redirecting me remotely. Couldn't find anything.

    I'd try System Restore, but I doubt it would help, this may be hiding in the System Restore file. Any experience with this particular monster? Or maybe a recommendation of a small and free anti-malware program to take care of it?
     
  2. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    Nope, System Restore didn't work.

    EDIT: Also, Internet Explorer was blocked by my firewall at first, for some reason. And now, when I click on search results in Google, I get redirected.
     
  3. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    It's apparent in all browsers, and on all browsers certain features have been blocked by the firewall. This leads me to believe that my computer is somehow getting these ads through some remote service or connection. But my Hosts file is normal!

    EDIT: The Hosts file at C:\WINDOWS\system32\drivers\etc is missing now. What happened? I ran a scan with MalwareBytes and cleared the quarantine, might that have done something?
     
  4. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    I've also noticed that my browsers lag periodically now. Like when I'm typing. I'll be typing along, and then it'll hang for a split second, and then stop lagging. As if during that lag, some page or something was loading in the background.

    Also, I've noticed a popup happen without me searching for anything. I think that might be the background process going on. But I don't notice any unusual processes in Task Manager. Should I provide a HJT log?
     
  5. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,846
    follow advice here and post the logs those programs make

    Did you see the big red message telling you what to do when you tried to make your first post in this topic or did you just decide to ignore it.
     
  6. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    Last couple of times I came to get help, HJT and DDS logs weren't required or ever asked for, I thought that was antiquated and that you guys requested them as necessary.

    Anyway, I'll post those logs ASAP.
     
  7. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    Late to posting these logs. But that's because the problem has advanced, or maybe a new problem has come along, not sure which it is.

    See, I wake up to find that the fake anti-malware program "System Check" is plaguing me. It hides all my files and everything. Makes System Restore not work. So I boot into Safe Mode and get to My Computer through Explorer. In Folder Options I reveal all hidden items, and once they're revealed I start unhiding select things. I do a very quick scan in MalwareBytes and find some System Check stuff an Application Folder on this computer. I delete them manually, only to realize later that I probably shouldn't have done that yet.

    Once I delete those two items, I discover that I also can't get online on this computer, for some reason, even in Safe Mode. And System Restore still doesn't work. So I use RKill to kill whatever System Check stuff might still be running. After that, I can see my desktop in Safe Mode. I restarted my computer to test if I still could. My desktop stayed. Also, Internet access is kinda working. I'm in Safe Mode with Networking now. Still having Google redirect issues. Tried running TDSSKiller, didn't fix the problem.





    EDIT: So I decided to get those logs you asked for and post them here, now that I could see my desktop and whatnot. I got the HJT log without any problems, but D.D.S. kept hanging for well over 3 minutes. Don't know if I have any script blockers running, I don't believe that I do. I got a log from GMER, but GMER did open with this error...

    LoadDriver( "C:\DOCUME~1\Parent\LOCALS~1\Temp\fflcrpoc.sys" ) error 0xC000010E: Cannot create a stable subkey under a volatile parent key.

    I'll post the two logs I was able to get next.
     
  8. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    First, the HJT log.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:51:09 AM, on 3/28/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Parent\Desktop\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.k12.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: InboxDollars - {47980628-3844-42AA-A0DD-E2D86BBA9600} - C:\Documents and Settings\Parent\My Documents\InboxDollars\Toolbar.dll (file missing)
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Raptr] C:\PROGRA~1\Raptr\raptrstub.exe --startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.k12.com
    O15 - Trusted Zone: *.clonewarsadventures.com
    O15 - Trusted Zone: *.freerealms.com
    O15 - Trusted Zone: *.soe.com
    O15 - Trusted Zone: *.sony.com
    O15 - Trusted Zone: http://*.mcafee.com (HKLM)
    O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
    O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
    O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
    O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
    O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
    O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
    O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1299365905203
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Wmiaprpl (EIO_XP) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
    O23 - Service: EngineServer - Unknown owner - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe (file missing)
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
    O23 - Service: Dpc_srv_webcast (mnsframework) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
    O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - Unknown owner - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe (file missing)
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
    O23 - Service: S7oppitx (WNCPKT) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
    O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - C:\Program Files\WTouch\WTouchService.exe

    --
    End of file - 9298 bytes
     
  9. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    Here's the ARK log from GMER.

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-28 13:45:39
    Windows 5.1.2600 Service Pack 3
    Running: nzxnft67.exe; Driver: C:\DOCUME~1\Parent\LOCALS~1\Temp\fflcrpoc.sys


    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB40321$\2025457899 0 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929 0 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\cfg.ini 272 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\L\zwpoogcz 162816 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\oemid 313 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\U\00000001.@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\U\00000002.@ 224768 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\U\00000004.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\U\80000000.@ 66560 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\U\80000004.@ 12800 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\U\80000032.@ 115200 bytes
    File C:\WINDOWS\$NtUninstallKB40321$\737719929\version 861 bytes

    ---- EOF - GMER 1.0.15 ----
     
  10. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    Just ran Unhide.exe to automatically unhide all my hidden files. I think it unhid exactly all of them.

    Should I also run MalwareBytes? Could it hurt?

    EDIT: Just signed into normal mode to see if it would work. It does, but I'm still having the popup/redirect problem. Never tried a full MalwareBytes scan, but seeing as we're back to Square One, as it were, I think I'll wait until I get further instructions.
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,662
    Dvk01 is not available today so I'll give you some instructions to follow as you have a rootkit that needs to be addressed.

    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  12. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    Alright, I'll get on that ASAP. But before I do, I notice that it's often suggested that I don't even touch my computer while things like this are running. But what if my screensaver comes up?

    By the way, another thing I've noticed, while I'm connected and browsing, sometimes when I'm not doing anything, I hear the Windows Asterisk chime. Nothing pops up, nothing new in the browsing history, I didn't click anything, I think it's a sign that something's going on in the background. Which means that this might happen even if I'm not browsing.
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,662
    That shouldn't matter but you can turn off the screen saver if you wish.
     
  14. Kaljinyu

    Kaljinyu Thread Starter

    Joined:
    Jun 20, 2005
    Messages:
    268
    Started running ComboFix a few minutes ago, but I think it's frozen. See, a prompt came up saying that ComboFix (which I renamed Puppy) had discovered my computer was infected with a Rootkit.ZeroAccess, embedded in the TCP/IP stack. I had to move the cursor to click Okay, and then I did. But after I clicked it, the cursor froze, as well as the clock.

    Heavy workload? Or is it being stopped somehow?

    EDIT: Meant to add, it's been frozen like this for 20 minutes now.
     
  15. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,846
    reboot & run combofix again please
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1046806