« previous next »
Pages: [1]   Go Down

Author Topic: top-humor-site.com hijacking Firefox  (Read 3435 times)

0 Members and 1 Guest are viewing this topic.

CelesteInTex

  • Guest
top-humor-site.com hijacking Firefox
« on: October 14, 2012, 01:04:58 AM »
I went someplace I shouldn't have and caught a nasty.

Mostly seems to be happening in Firefox, but there could be other nasties lurking.

Reports attached and below.

Thanks for any help you can give!

Malwarebytes Anti-Malware (PRO) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.13.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Celeste :: CELESTE-DESKTOP [administrator]

Protection: Enabled

10/13/2012 4:04:25 PM
mbam-log-2012-10-13 (16-04-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 237361
Time elapsed: 21 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Logged

CelesteInTex

  • Guest
Re: top-humor-site.com hijacking Firefox pt 2
« Reply #1 on: October 14, 2012, 01:10:58 AM »
Here is the aswMBR report, below and attached.

Thanks so much!

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-13 16:52:22
-----------------------------
16:52:22.209    OS Version: Windows 5.1.2600 Service Pack 3
16:52:22.209    Number of processors: 2 586 0xF02
16:52:22.209    ComputerName: CELESTE-DESKTOP  UserName: Celeste
16:52:23.772    Initialize success
16:52:30.350    AVAST engine defs: 12101301
16:54:25.240    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:54:25.240    Disk 0 Vendor: WDC_WD20EARS-00MVWB0 51.0AB51 Size: 1907729MB BusType: 3
16:54:25.256    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-1b
16:54:25.256    Disk 1 Vendor: WDC_WD2500JS-75NCB3 10.02E04 Size: 238418MB BusType: 3
16:54:25.287    Disk 1 MBR read successfully
16:54:25.287    Disk 1 MBR scan
16:54:25.381    Disk 1 Windows XP default MBR code
16:54:25.381    Disk 1 Partition 1 00     DE Dell Utility Dell 8.0       47 MB offset 63
16:54:25.412    Disk 1 Partition 2 80 (A) 07    HPFS/NTFS NTFS       238362 MB offset 96390
16:54:25.412    Disk 1 scanning sectors +488263545
16:54:25.522    Disk 1 scanning C:\WINDOWS\system32\drivers
16:54:38.272    Service scanning
16:55:00.147    Modules scanning
16:55:09.756    Disk 1 trace - called modules:
16:55:09.803    ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
16:55:09.803    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8af11ab8]
16:55:09.803    3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-1b[0x8aea8b00]
16:55:10.600    AVAST engine scan C:\WINDOWS
16:55:20.053    AVAST engine scan C:\WINDOWS\system32
16:58:09.678    AVAST engine scan C:\WINDOWS\system32\drivers
16:58:28.131    AVAST engine scan C:\Documents and Settings\Celeste
17:01:49.569    Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Celeste\Desktop\top-humor-site.com\MBR.dat"
17:01:49.584    The log file has been saved successfully to "C:\Documents and Settings\Celeste\Desktop\top-humor-site.com\aswMBR.txt"


Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: top-humor-site.com hijacking Firefox
« Reply #2 on: October 14, 2012, 01:19:51 PM »
Let me know if this stops it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:OTL
[2012/10/08 15:54:34 | 000,019,591 | ---- | M] () (No name found) -- C:\Documents and Settings\Celeste\Application Data\Mozilla\Firefox\Profiles\lm2rqsj7.default\extensions\YouTubetoALL@ALLPlayer.org.xpi
[2011/12/31 15:26:23 | 000,013,446 | -HS- | C] () -- C:\Documents and Settings\Celeste\Local Settings\Application Data\210ix62kx62y12744267ukpick4g023cen2wf40834k
[2011/12/31 15:26:23 | 000,013,446 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\210ix62kx62y12744267ukpick4g023cen2wf40834k

:Files
C:\Documents and Settings\Celeste\Desktop\top-humor-site.com

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Logged
Pages: [1]   Go Up
« previous next »