Please help me with a spyware issue..

[msbbc833]

About every 10 minutes, while using firefox, I get a new browser window opened which directs to this page: http://krepitrash.redirectme.net/redirect.php?m=

I have ran Avira, Malwarebytes, Spybot S&D, Sophos AntiRoot Kit, and SuperAntiSpyware and they each have found a few bugs, but I still keep getting this annoying popup. Here is a log of my HiJackThis. Please let me know if you guys have any suggestions, otherwise I think I am going to have to format. I am sick of Windows PCs, I am currently running 7 x64 and I swear that every couple months I get infected with some nasty bug and I have to format. I am considering going OS X or something similar.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:08:34 PM, on 7/3/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Users\Maamaa\AppData\Roaming\InstallMon.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Maamaa\Desktop\HijackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
O2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - (no file)
O3 - Toolbar: (no name) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [C:\Users\Maamaa\AppData\Roaming\InstallMon.exe] C:\Users\Maamaa\AppData\Roaming\InstallMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20DAA355-80B3-4A7A-A64E-71A006F0795A}: NameServer = 208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7197 bytes

 

[jiminator]

try making a new profile and see if it is infected.
if not, there is a firefox folder somewhere in your user folder. you should be able to export your links, nuke the folder, and hopefully everything works.

 

[msbbc833]

How do I export my links so I can delete the folder?

 

[rive22]

go to bookmarks, then organize bookmarks, then export to html. save it to safe location.

when you reinstall, then import the html.

 

[msbbc833]

Ok. So I save the HTML, uninstall and reinstall firefox right?

 

[WhiteZero]

I am sick of Windows PCs, I am currently running 7 x64 and I swear that every couple months I get infected with some nasty bug and I have to format. I am considering going OS X or something similar.

Not even OSX is safe anymore...
You're better off just running a good anti-virus and learning how to be careful.

I can't remember the last time my personal PC had an infection. And I go to plenty of shady sites and get shady downloads. lol

Anyway, format shouldn't be necessary. You have these options:
Run the malware scans from Safe Mode.
Run the malware scan at boot, with something like UBCD4Win.
Run a repair install of Windows.
Keep researching he issue so in the future you'll know how to solve it for yourself and others.

 

[rive22]

Yeah uninstall, then go to your apps drive and run a search for mozilla. everything that pops up delete it. there will be a couple folders with contents you'll want to delete them all manually since the uninstalling doesn't get rid of everything.

i would export your links to a backup file too. have both the html and backup just to be safe having two separate saved versions.

 

[Shadowssong]

First of all, remove the link in your first sentence. Do not link something that malware is redirecting too or you have a chance of infecting other users who click on it (I don't know if its malicious or not but there is a good chance it is).

That being said, I don't know how you have gotten infected every couple of months. This is obviously a user error because Windows 7 64bit is easily the most secure and safe windows os out right now.
I noticed you have uTorrent installed:
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
This is probably your source of the malware, I would highly suggest NOT using torrenting, ESPECIALLY if you are being infected every couple of months.

That being said, 64bit limits the choices you have for malware removal, as I would normally suggest combofix but it does not work for 64bit. Your best bet is to reformat and be proactive in your approach to keeping your system clean, that includes:
1) Use an up to date AV at all times (I suggest MSE)
2) Keep up with windows updates and other essential program updates (Adobe in particular, has been exploited quite a bit lately, but usually most vulnerabilities are on xp) and don't forget java updates.
3) Practice safe browsing and downloading techniques. AKA Do not torrent. People may beat around the bush saying whether or not to do it but come on, if you've been infected alot there has to be a common source and I point my finger at torrenting right away.
4) If you are visiting sketchy sites look into using virtual machines (VirtualBox is a free software that allows you to run an operating system inside of a safe shell, if infected you can wipe the install and do it again)

If you think switching to OSX is going to save you then go right ahead and drop some money on that, but if your tired of windows you could always try Ubuntu.

 

[msbbc833]

What a fucking joke. Even my facebook account had been posting spam as my status. I had no choice but to reformat with a fresh copy of Win7 x64. I will no longer be using torrents in any capacity. I am so pissed right now. What kind of fucking losers spend time creating malware to infect innocent people's computers?

Anyways, what is the safest browser? I was running Firefox with ABP and NoScript before. I will probably use that again. As for antivirus/antispyware I am going to run MSE. Please give me any more suggestions to just have a clean machine that is unlikely to get infected in the future.

 

[msbbc833]

Couple more questions...

I have decided to use Comodo AV+Firewall. Looks like a solid setup so far.

If no to torrents, where can I download movies and TV shows from that are safe?
Also, once I cleared my facebook account, I changed my password, but is there anyway to be sure my facebook account is now clean?

 

[WhiteZero]

If no to torrents, where can I download movies and TV shows from that are safe?

Did you really just ask that?

 

[Shadowssong]

What a fucking joke. Even my facebook account had been posting spam as my status. I had no choice but to reformat with a fresh copy of Win7 x64. I will no longer be using torrents in any capacity. I am so pissed right now. What kind of fucking losers spend time creating malware to infect innocent people's computers?

Anyways, what is the safest browser? I was running Firefox with ABP and NoScript before. I will probably use that again. As for antivirus/antispyware I am going to run MSE. Please give me any more suggestions to just have a clean machine that is unlikely to get infected in the future.

AFAIK Firefox is no longer the safest browser, oddly enough I still use it. Apparently Chrome and IE9 are going to be neck and neck for the most secure. That being said its not usually a browser exploit that is what infects you.

Couple more questions...

I have decided to use Comodo AV+Firewall. Looks like a solid setup so far.

If no to torrents, where can I download movies and TV shows from that are safe?
Also, once I cleared my facebook account, I changed my password, but is there anyway to be sure my facebook account is now clean?

You might be getting banned for that first question, but who knows. As for the second question, I believe it was the infected computer that was sending out the shit through your facebook. Make sure you changed it on the clean computer. It's not your actual facebook account that is compromised, its a virus on your pc that is accessing your facebook with a password that it was able to brute force/keylog/guess etc.

 

[jiminator]

you can watch tv shows safe and legally on hulu.com
this other stuff, you are just opening yourself up to lots of risks, viruses and trojans just being the obvious ones.

 

[Protoform-X]

If no to torrents, where can I download movies and TV shows from that are safe?

http://www.netflix.com/

"Unlimited TV episodes & movies instantly over the Internet plus unlimited DVDs by mail!"

Safe and legal.

 

[rive22]

Hey for Netflix TV and Hulu, is the stuff high def?

I used to use Netflix in the past for DVD's and they were pretty kick ass. Are they fully updated with Blurays now too?

 

[msbbc833]

They dont even have Entourage :\

 

[Shadowssong]

Then buy HBO like the rest of the world. [H]ard|Forum rules prohibit the talk of piracy so you should stop before you get banned. Friendly warning!

 

[Protoform-X]

Get HBO on Demand if you want to watch Entourage.

 

[YeOldeStonecat]

You already wiped 'n reloaded the system, so it's moot now...but these recent dns redirecting rootkits are difficult to clean from within the system. We've been having lotsa rigs come through which require us to remove the drive and slave it to our main scanning bench rig...to clean it up. We're having better luck cleaning them this way, outside of the OS. It sticks some files inside of the user profile directory..temp internet files, ie5, etc etc. As well as the rootkit files hidden in system and/or system32.

 

[LostStorm]

I would have update all your security programs, reboot to safe mode. Then delete all temporary files, cookies and java folders. Then do full scan with every program and see if that fixes the problem. I personally hate reformatting, but either way I hope everything turns out well