It's like a plugin virus, but it's external... however, firefox is all it seems to affect.
XP Pro, DELL Latitude D520, Duo... 2 gig RAM, and plenty hdd, stock video chipset (naturally -.-)
After much scouring... i have run into a program on my drive called MRT.exe coupled in the same folder with a MRTSTUB.exe (not case sensative)... I never use iexplore, and immediately remove it from my machine shortly after any fresh installation of XP, and download firefox... other than that, the other things i do online are not likely to have allowed this in, and hijackthis seems to refer to it as a BHO... it came in through firefox guys... it records input, manipulates other programs (firefox), has no visible window and no log in the process manager... however, procedes to take up huge portions of page file memory. Naturally while on firefox... it reroutes me every chance it gets to one of those stupid search pages providing "enhanced searchability for the EXACT product,concept,idea,question that i am looking for -.-" just thought you guys might wanna know... mr t. funny guy -.-
(Below content copied from /questions/778647 - TonyE)
This is a continuation of the last post I had up, it is basically a web site redirect virus that seems to pull up a new window at various times, or while I click on several google searches will intermitantly redirect me to a tizag.com website, or other various search falsity websites...
After several hours of work put into trying to find this bug, removing smaller useless bugs from my system, and so on... I still have the bug on the computer... Now I have taken the liberty of running a process analyzer and stopping the analyzer once the bug started affecting my google, and have a dump of all the processes running, firefox related (since it redirects me it must reach into the firefox.exe process somewhere along the line), and would like to share that with you.
I posted it in the troubleshooting section as it won't fit into this section... and i don't have a troubleshooting information option in my help menu anyhow.
If you can help me figure out which process is being performed here that is unusual as far as firefox content goes, I can search through the memory stacks of those processes and trace this bug back to it's origin... helping myself and you guys in the future.
由 TonyE 於 修改
所有回覆 (6)
I have been having the same problem for the past week. Do a google search, I get a list of relevant sites, I try to access one of the sites and I'm redirected by different search engines to something totally irrevelant such as adverts. The problem is erratic but also happens in Explorer. I'm using Vista but so far hasn't showed up on my Win 7 system.
由 sauntryf 於 修改
Check out this website for a possible solution. I haven't tried it myself yet as right now my system is behaving normally. http://inkspector.tblog.com/post/1970043394
I appreciate the link, but it's just another "download this to fix this problem" site, and I'm not into that... I posted up another post on this problem, with a realtime process dump that I captured at the time of the redirect... so somewhere in that list of processes there is the file that is causing the problem, or something of a tail end that I can use to trace back through the memory stacks... I think i'll re-post it here so it's in-line with this issue, since I have gotten responses to it...
Note: if we can get someone who knows the firefox assembly to have a look at it and let us know the processes that aren't inclusive of the system, then I can look through as I stated and pinpoint the exact location and name of this bug.
For the record, I have searched google for any virus that matched this description, and thus far there aren't any REAL solutions that I've come across...
FIRST HALF OF THE DUMP:
04:54:09,5863168 firefox.exe 2636 ReadFile C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\Cache\_CACHE_001_ SUCCESS Offset: 978 944, Length: 768
04:54:09,5866492 firefox.exe 2636 ReadFile C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\Cache\_CACHE_001_ SUCCESS Offset: 977 664, Length: 800
04:54:09,5887274 firefox.exe 2636 RegOpenKey HKLM\Software\Speedbit\Download Accelerator SUCCESS Desired Access: Query Value
04:54:09,5887676 firefox.exe 2636 RegQueryValue HKLM\SOFTWARE\SpeedBit\Download Accelerator\Log SUCCESS Type: REG_DWORD, Length: 4, Data: 0
04:54:09,5888017 firefox.exe 2636 RegCloseKey HKLM\SOFTWARE\SpeedBit\Download Accelerator SUCCESS
04:54:09,5895200 firefox.exe 2636 RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000046E SUCCESS Type: REG_SZ, Length: 4, Data: 1
04:54:09,5895820 firefox.exe 2636 RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS Type: REG_SZ, Length: 4, Data: 1
04:54:09,6072001 firefox.exe 2636 LockFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Exclusive: True, Offset: 1 073 741 824, Length: 1, Fail Immediately: True
04:54:09,6073661 firefox.exe 2636 LockFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Exclusive: False, Offset: 1 073 741 826, Length: 510, Fail Immediately: True
04:54:09,6075276 firefox.exe 2636 UnlockFileSingle C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Offset: 1 073 741 824, Length: 1
04:54:09,6078782 firefox.exe 2636 QueryOpen C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite-journal NAME NOT FOUND
04:54:09,6080706 firefox.exe 2636 QueryStandardInformationFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS AllocationSize: 8 192, EndOfFile: 7 168, NumberOfLinks: 1, DeletePending: False, Directory: False
04:54:09,6082330 firefox.exe 2636 ReadFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Offset: 24, Length: 16
04:54:09,6084556 firefox.exe 2636 UnlockFileSingle C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Offset: 1 073 741 826, Length: 510
04:54:09,6101561 firefox.exe 2636 ReadFile C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\Cache\_CACHE_001_ SUCCESS Offset: 979 712, Length: 512
04:54:09,6103802 firefox.exe 2636 Thread Create SUCCESS Thread ID: 3540
04:54:09,6104645 firefox.exe 2636 ReadFile C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\Cache\_CACHE_002_ SUCCESS Offset: 884 736, Length: 2 347
04:54:09,6107657 firefox.exe 2636 WriteFile C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\Cache\_CACHE_001_ SUCCESS Offset: 978 944, Length: 593
04:54:09,6109590 firefox.exe 2636 RegOpenKey HKLM\Software\Speedbit\Download Accelerator SUCCESS Desired Access: Query Value
04:54:09,6109939 firefox.exe 2636 RegQueryValue HKLM\SOFTWARE\SpeedBit\Download Accelerator\Log SUCCESS Type: REG_DWORD, Length: 4, Data: 0
04:54:09,6110263 firefox.exe 2636 RegCloseKey HKLM\SOFTWARE\SpeedBit\Download Accelerator SUCCESS
04:54:09,6154087 firefox.exe 2636 QueryOpen C:\WINDOWS\system32\MSIMTF.dll SUCCESS CreationTime: 14.04.2008 07:00:00, LastAccessTime: 22.01.2011 04:54:09, LastWriteTime: 14.04.2008 07:00:00, ChangeTime: 26.09.2009 19:55:19, AllocationSize: 159 744, EndOfFile: 159 232, FileAttributes: A
04:54:09,6155962 firefox.exe 2636 CreateFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
04:54:09,6157727 firefox.exe 2636 CreateFileMapping C:\WINDOWS\system32\MSIMTF.dll SUCCESS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
04:54:09,6157859 firefox.exe 2636 QueryStandardInformationFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS AllocationSize: 159 744, EndOfFile: 159 232, NumberOfLinks: 1, DeletePending: False, Directory: False
04:54:09,6158071 firefox.exe 2636 CreateFileMapping C:\WINDOWS\system32\MSIMTF.dll SUCCESS SyncType: SyncTypeOther
04:54:09,6159437 firefox.exe 2636 CloseFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS
04:54:09,6167285 firefox.exe 2636 QueryOpen C:\WINDOWS\system32\MSIMTF.dll SUCCESS CreationTime: 14.04.2008 07:00:00, LastAccessTime: 22.01.2011 04:54:09, LastWriteTime: 14.04.2008 07:00:00, ChangeTime: 26.09.2009 19:55:19, AllocationSize: 159 744, EndOfFile: 159 232, FileAttributes: A
04:54:09,6168969 firefox.exe 2636 CreateFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
04:54:09,6170274 firefox.exe 2636 CreateFileMapping C:\WINDOWS\system32\MSIMTF.dll SUCCESS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
04:54:09,6170394 firefox.exe 2636 QueryStandardInformationFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS AllocationSize: 159 744, EndOfFile: 159 232, NumberOfLinks: 1, DeletePending: False, Directory: False
SECOND HALF:
04:54:09,6170592 firefox.exe 2636 CreateFileMapping C:\WINDOWS\system32\MSIMTF.dll SUCCESS SyncType: SyncTypeOther
04:54:09,6171930 firefox.exe 2636 CloseFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS
04:54:09,6197042 firefox.exe 2636 WriteFile C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\Cache\_CACHE_001_ SUCCESS Offset: 979 712, Length: 464
04:54:09,6444761 firefox.exe 2636 LockFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Exclusive: True, Offset: 1 073 741 824, Length: 1, Fail Immediately: True
04:54:09,6446292 firefox.exe 2636 LockFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Exclusive: False, Offset: 1 073 741 826, Length: 510, Fail Immediately: True
04:54:09,6447773 firefox.exe 2636 UnlockFileSingle C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Offset: 1 073 741 824, Length: 1
04:54:09,6449999 firefox.exe 2636 QueryOpen C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite-journal NAME NOT FOUND
04:54:09,6451782 firefox.exe 2636 QueryStandardInformationFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS AllocationSize: 8 192, EndOfFile: 7 168, NumberOfLinks: 1, DeletePending: False, Directory: False
04:54:09,6454503 firefox.exe 2636 ReadFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Offset: 24, Length: 16
04:54:09,6456271 firefox.exe 2636 UnlockFileSingle C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\content-prefs.sqlite SUCCESS Offset: 1 073 741 826, Length: 510
04:54:09,6469113 firefox.exe 2636 LockFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\signons.sqlite SUCCESS Exclusive: True, Offset: 1 073 741 824, Length: 1, Fail Immediately: True
04:54:09,6470602 firefox.exe 2636 LockFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\signons.sqlite SUCCESS Exclusive: False, Offset: 1 073 741 826, Length: 510, Fail Immediately: True
04:54:09,6472061 firefox.exe 2636 UnlockFileSingle C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\signons.sqlite SUCCESS Offset: 1 073 741 824, Length: 1
04:54:09,6474053 firefox.exe 2636 QueryOpen C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\signons.sqlite-journal NAME NOT FOUND
04:54:09,6475706 firefox.exe 2636 QueryStandardInformationFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\signons.sqlite SUCCESS AllocationSize: 12 288, EndOfFile: 11 264, NumberOfLinks: 1, DeletePending: False, Directory: False
04:54:09,6477201 firefox.exe 2636 ReadFile C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\signons.sqlite SUCCESS Offset: 24, Length: 16
04:54:09,6479226 firefox.exe 2636 UnlockFileSingle C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\314qtu41.default\signons.sqlite SUCCESS Offset: 1 073 741 826, Length: 510
04:54:09,6489971 firefox.exe 2636 QueryOpen C:\WINDOWS\system32\MSIMTF.dll SUCCESS CreationTime: 14.04.2008 07:00:00, LastAccessTime: 22.01.2011 04:54:09, LastWriteTime: 14.04.2008 07:00:00, ChangeTime: 26.09.2009 19:55:19, AllocationSize: 159 744, EndOfFile: 159 232, FileAttributes: A
04:54:09,6491722 firefox.exe 2636 CreateFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
04:54:09,6493061 firefox.exe 2636 CreateFileMapping C:\WINDOWS\system32\MSIMTF.dll SUCCESS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
04:54:09,6493192 firefox.exe 2636 QueryStandardInformationFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS AllocationSize: 159 744, EndOfFile: 159 232, NumberOfLinks: 1, DeletePending: False, Directory: False
04:54:09,6493399 firefox.exe 2636 CreateFileMapping C:\WINDOWS\system32\MSIMTF.dll SUCCESS SyncType: SyncTypeOther
04:54:09,6494751 firefox.exe 2636 CloseFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS
04:54:09,6500151 firefox.exe 2636 QueryOpen C:\WINDOWS\system32\MSIMTF.dll SUCCESS CreationTime: 14.04.2008 07:00:00, LastAccessTime: 22.01.2011 04:54:09, LastWriteTime: 14.04.2008 07:00:00, ChangeTime: 26.09.2009 19:55:19, AllocationSize: 159 744, EndOfFile: 159 232, FileAttributes: A
04:54:09,6501802 firefox.exe 2636 CreateFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
04:54:09,6503090 firefox.exe 2636 CreateFileMapping C:\WINDOWS\system32\MSIMTF.dll SUCCESS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
04:54:09,6503204 firefox.exe 2636 QueryStandardInformationFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS AllocationSize: 159 744, EndOfFile: 159 232, NumberOfLinks: 1, DeletePending: False, Directory: False
04:54:09,6503411 firefox.exe 2636 CreateFileMapping C:\WINDOWS\system32\MSIMTF.dll SUCCESS SyncType: SyncTypeOther
04:54:09,6504746 firefox.exe 2636 CloseFile C:\WINDOWS\system32\MSIMTF.dll SUCCESS
04:54:09,6588123 firefox.exe 2636 Thread Exit SUCCESS Thread ID: 3540, User Time: 0.0000000, Kernel Time: 0.0000000
04:54:09,6602960 firefox.exe 2636 RegOpenKey HKLM\Software\Speedbit\Download Accelerator SUCCESS Desired Access: Query Value
04:54:09,6603373 firefox.exe 2636 RegQueryValue HKLM\SOFTWARE\SpeedBit\Download Accelerator\Log SUCCESS Type: REG_DWORD, Length: 4, Data: 0
04:54:09,6603714 firefox.exe 2636 RegCloseKey HKLM\SOFTWARE\SpeedBit\Download Accelerator SUCCESS
I get the feeling it's in-line with that 314qtu41.default folder in the application data folder... however, i am not sure about this and when I've attempted to delete the directory, firefox never starts stating it's already running (this is while there is no entry for it in the process manager under firefox.exe) =\ so lol yah... perhaps we've found ourselves a new kind of bug... a smart one.