Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Undetected spyware redirecting search results


  • This topic is locked This topic is locked
37 replies to this topic

#31 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 08 September 2009 - 10:14 PM

Hello EB,

OK, I ran the removal tool but had a little trouble with ComboFix. There was no automatic upload and I could not find the zip file in the Qoobox Quarantine folder or anyone else, so I was unable to do that step, but I have the ComboFix log here none-the-less. I also downloaded the Avast anti-spyware since I had so much trouble with AVG before. Below are the Combofix log and the MBAM LOG.

Combofix


ComboFix 09-09-08.05 - Sunspot 09/08/2009 22:04.8.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639.291 [GMT -4:00]
Running from: c:\documents and settings\Sunspot.RA.000\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sunspot.RA.000\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FILE ::
"c:\windows\system32\DRIVERS\avgfwdx.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\SUNSPO~1.000\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Sunspot.RA.000\Local Settings\temp\IadHide5.dll
c:\progra~1\AVG
c:\progra~1\AVG\AVG8\Notification\arrow.png
c:\progra~1\AVG\AVG8\Notification\button_left.png
c:\progra~1\AVG\AVG8\Notification\button_left_hover.png
c:\progra~1\AVG\AVG8\Notification\button_right.png
c:\progra~1\AVG\AVG8\Notification\button_right_hover.png
c:\progra~1\AVG\AVG8\Notification\free8085_message_01_us.html
c:\progra~1\AVG\AVG8\Notification\head_blue_bg.png
c:\progra~1\AVG\AVG8\Notification\image_app_-en.png
c:\progra~1\AVG\AVG8\Notification\style.css
c:\windows\system32\vsfoceethkyiud.dll
c:\windows\system32\vsfocehrqjlknb.dll
c:\windows\system32\vsfocejboroyiv.dat
c:\windows\system32\vsfoceogkbaqpm.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_vsfocegoxuwbiv
-------\Service_Avgfwdx
-------\Service_Avgfwfd
-------\Service_vsfocegoxuwbiv


((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-03 00:38 . 2009-09-03 00:38 120 -c--a-w- c:\windows\Sdunana.dat
2009-08-23 04:11 . 2009-08-26 02:29 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\ArcSoft
2009-08-23 03:20 . 2009-08-23 03:20 -------- dc----w- c:\program files\Common Files\Skype
2009-08-23 03:20 . 2009-08-23 03:20 -------- dc----r- c:\program files\Skype
2009-08-23 03:13 . 2009-09-09 02:03 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Skype
2009-08-23 01:35 . 2005-02-23 18:58 11776 -c--a-w- c:\windows\system32\drivers\afc.sys
2009-08-23 01:32 . 2009-08-23 01:32 -------- dc----w- c:\program files\Common Files\ArcSoft
2009-08-23 01:31 . 2004-05-04 15:53 1645320 -c--a-w- c:\windows\system32\gdiplus.dll
2009-08-23 01:31 . 2009-08-23 01:31 -------- dc----w- c:\program files\ArcSoft
2009-08-23 01:31 . 1995-08-01 08:44 212480 -c--a-w- c:\windows\PCDLIB32.DLL
2009-08-23 00:52 . 2004-08-04 05:07 59264 -c--a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-23 00:52 . 2004-08-04 05:07 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-23 00:45 . 2007-09-06 20:56 98304 -c--a-w- c:\windows\amcap.exe
2009-08-23 00:45 . 2008-02-21 21:15 3968 -c--a-w- c:\windows\system32\drivers\DeNoise.sys
2009-08-23 00:45 . 2007-03-10 18:43 270336 -c--a-w- c:\windows\tsnpstd3.exe
2009-08-23 00:45 . 2006-09-19 13:07 827392 -c--a-w- c:\windows\vsnpstd3.exe
2009-08-23 00:45 . 2007-03-26 18:46 10252544 -c--a-w- c:\windows\system32\drivers\snpstd3.sys
2009-08-23 00:45 . 2009-08-23 00:56 -------- dc----w- c:\program files\Common Files\snpstd3
2009-08-23 00:45 . 2007-03-12 15:41 61440 -c--a-w- c:\windows\system32\vsnpstd3.dll
2009-08-23 00:45 . 2007-02-09 18:13 172032 -c--a-w- c:\windows\system32\rsnpstd3.dll
2009-08-23 00:45 . 2005-11-23 17:55 53248 -c--a-w- c:\windows\system32\csnpstd3.dll
2009-08-23 00:45 . 2005-11-23 17:55 53248 -c--a-w- c:\windows\csnpstd3.dll
2009-08-23 00:45 . 2009-08-23 00:45 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\InstallShield
2009-08-22 00:59 . 2009-08-22 00:59 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2009-08-22 00:59 . 2009-09-09 01:21 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\skypePM
2009-08-22 00:43 . 2000-01-19 15:45 65536 -c--a-r- c:\windows\system32\SPDecode.DLL
2009-08-20 02:02 . 2009-08-20 02:02 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\SUPERAntiSpyware.com
2009-08-13 18:38 . 2005-12-31 00:18 180224 -c--a-w- c:\windows\system32\xvidvfw.dll
2009-08-13 18:38 . 2005-12-31 00:10 761856 -c--a-w- c:\windows\system32\xvidcore.dll
2009-08-13 17:12 . 2009-08-13 17:12 -------- dc----w- c:\program files\WinAVI MP4 Converter
2009-08-13 17:07 . 2009-08-13 17:07 -------- dc----w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\WinAVI
2009-08-13 14:23 . 2009-08-13 20:17 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Azureus
2009-08-13 13:28 . 2009-08-13 13:28 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\vlc
2009-08-13 11:59 . 2009-08-13 12:17 -------- dc----w- C:\Combo-Fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 10:08 . 2009-08-05 02:48 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-08-26 03:26 . 2009-08-03 19:25 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 03:20 . 2005-03-05 08:53 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-08-23 01:31 . 2001-01-11 19:40 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-08-20 03:36 . 2004-01-12 00:37 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-13 20:40 . 2004-10-30 03:44 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Apple Computer
2009-08-13 20:20 . 2007-07-04 12:58 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-08-13 20:18 . 2004-11-20 19:00 -------- dc----w- c:\program files\Azureus
2009-08-13 18:38 . 2003-06-24 12:55 -------- dc----w- c:\program files\XviD
2009-08-07 23:48 . 2009-08-07 23:48 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\AdobeUM
2009-08-07 17:02 . 2002-05-18 02:57 -------- dc----w- c:\program files\Opera
2009-08-07 14:54 . 2009-08-05 22:54 -------- dc----w- c:\program files\SUPERAntiSpyware
2009-08-07 13:39 . 2004-11-20 18:41 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Azureus
2009-08-06 21:55 . 2009-08-06 21:55 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Apple Computer
2009-08-06 17:30 . 2009-08-06 17:30 -------- dc----w- c:\program files\CCleaner
2009-08-05 22:54 . 2009-08-05 22:54 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-08-05 22:54 . 2009-08-05 22:54 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\SUPERAntiSpyware.com
2009-08-05 22:54 . 2003-02-09 19:36 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 22:49 . 2003-11-03 22:34 -------- dc----w- c:\program files\InterActual
2009-08-05 22:27 . 2009-08-05 22:27 -------- dc----w- c:\documents and settings\Weldon.RA\Application Data\Malwarebytes
2009-08-05 21:00 . 2009-08-05 21:00 52112 -c--a-w- c:\documents and settings\Weldon.RA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 16:54 . 2009-08-05 16:54 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Azureus
2009-08-05 12:27 . 2004-01-12 00:37 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-08-05 09:11 . 2005-01-08 03:15 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 06:30 . 2004-09-09 23:44 52112 -c--a-w- c:\documents and settings\Sunspot.RA.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 06:27 . 2009-08-05 06:26 -------- dc----w- c:\program files\iTunes
2009-08-05 06:27 . 2009-08-05 06:26 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 06:26 . 2004-10-30 03:43 -------- dc----w- c:\program files\iPod
2009-08-05 06:26 . 2007-07-04 12:58 -------- dc----w- c:\program files\Common Files\Apple
2009-08-05 06:23 . 2009-08-05 06:23 -------- dc----w- c:\program files\Bonjour
2009-08-05 06:22 . 2001-01-15 00:13 -------- dc----w- c:\program files\QuickTime
2009-08-05 04:25 . 2007-10-03 01:26 -------- dc----w- c:\program files\filesubmit
2009-08-05 02:51 . 2009-08-05 02:51 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Downloaded Installations
2009-08-05 01:23 . 2009-08-03 18:40 -------- dc--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-03 19:25 . 2009-08-03 19:25 -------- dc----w- c:\documents and settings\Sunspot.RA.000\Application Data\Malwarebytes
2009-08-03 19:25 . 2009-08-03 19:25 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-03 18:39 . 2009-08-03 18:39 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Simply Super Software
2009-08-03 17:36 . 2009-08-03 19:25 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-03 19:25 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 18:55 . 2002-09-03 13:00 58880 -c--a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-11 05:45 286720 -c--a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2009-08-05 06:16 2060288 -c--a-w- c:\windows\system32\usbaaplrc.dll
2009-07-09 16:16 . 2008-09-03 21:19 39424 -c--a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-26 16:18 . 2004-12-07 21:37 659456 -c----w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 07:56 81920 -c----w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2002-09-03 13:00 82432 -c--a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2002-09-03 13:00 119808 -c--a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2002-09-03 13:00 76288 -c--a-w- c:\windows\system32\telnet.exe
2001-10-05 11:53 . 2003-02-27 03:36 21866 -c--a-w- c:\program files\Common Files\tppupd2k.dll
2001-03-19 00:11 . 2001-01-11 19:24 21952 -c-ha-w- c:\program files\folder.htt
2001-10-24 17:45 . 2002-05-18 02:57 28672 -c--a-w- c:\program files\opera\program\plugins\PlugDef.dll
2008-04-25 18:32 . 2008-04-25 18:32 5817064 -c--a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll
2005-05-07 16:05 . 2004-09-22 00:47 10646 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-09-01_01.36.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-09 02:17 . 2009-09-09 02:17 40960 c:\windows\temp\rtdrvmon.exe
+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\SYSTEM32\tzchange.exe
+ 2008-02-14 06:49 . 2009-05-26 11:40 17272 c:\windows\SYSTEM32\spmsg.dll
- 2008-02-14 06:49 . 2008-07-08 13:02 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2009-09-02 10:38 . 2009-09-02 10:38 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009090220090903\index.dat
- 2003-08-12 00:10 . 2009-09-01 01:06 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-08-12 00:10 . 2009-09-04 10:46 32768 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-08-12 00:10 . 2009-09-01 01:06 32768 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2003-08-12 00:10 . 2009-09-04 10:46 32768 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2009-09-02 10:38 . 2009-09-02 10:38 53637 c:\windows\SYSTEM32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\UserCache.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-12 4112384]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-12 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-07 118784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2004-07-12 843776]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-1-15 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2008-2-22 888987]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Yahoo! Pager"=1

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 74480]
R3 dfmirage;dfmirage;c:\windows\SYSTEM32\DRIVERS\dfmirage.sys [11/25/2005 6:43 PM 31896]
S2 Ca536av;FashionCam Video Camera Device;c:\windows\SYSTEM32\DRIVERS\Ca536av.sys [2/3/2008 9:40 PM 514859]
S3 PL-40R;CASIO USB MIDI;c:\windows\SYSTEM32\DRIVERS\pl40rwdm.sys [12/8/2007 12:08 PM 18118]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
S3 SPCA508A;Micro WebCam;c:\windows\SYSTEM32\DRIVERS\SPCA508A.SYS [4/23/2001 1:23 PM 98073]
S3 USBCamera;FashionCam Digital Still Camera Device;c:\windows\SYSTEM32\DRIVERS\Bulk536.sys [2/3/2008 9:40 PM 11048]
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-09 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-02-17 13:53]
.
.
------- Supplementary Scan -------
.
mSearch Bar =
uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
uInternet Settings,ProxyOverride = 127.0.0.1;*sas.se1.attbb.net;<local>;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe
FF - ProfilePath - c:\documents and settings\Sunspot.RA.000\Application Data\Mozilla\Firefox\Profiles\8tllm4r8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1188)
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
c:\progra~1\MICROS~4\Office10\msohev.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\devldr32.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-09 22:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-09 02:22
ComboFix2.txt 2009-09-04 11:18
ComboFix3.txt 2009-09-03 01:48
ComboFix4.txt 2009-09-02 05:00
ComboFix5.txt 2009-09-09 02:02

Pre-Run: 7,669,559,296 bytes free
Post-Run: 7,582,220,288 bytes free

278 --- E O F --- 2009-09-02 11:04

MBAM

Malwarebytes' Anti-Malware 1.40
Database version: 2763
Windows 5.1.2600 Service Pack 2

9/8/2009 10:57:01 PM
mbam-log-2009-09-08 (22-57-01).txt

Scan type: Quick Scan
Objects scanned: 149567
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Let me know what you think.

Thanks,
Diamonds415

BC AdBot (Login to Remove)

 


#32 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 09 September 2009 - 03:04 PM

Hello.

That looks so much better.

Now, please do the following... We're almost done here.

Please navigate to your C:\Qoobox folder.
In there find a text document file called Combofix-quarantined-files.txt and ATTACH the results of that log file in your next reply.

--

Let's update Java and run an online scan now.

Update Java to Version 6 Update 16

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#33 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 10 September 2009 - 06:38 AM

Hi EB,

Ok, I followed the instructions. The logs will be uploaded to this post. The computer is working MUCH better now. There is no more redirecting and it actually sped up a little bit (which was great because after the infection it started running really slowly). I also installed the new JAVA. Pleae see attached.

Thank You,
Diamonds415

Attached Files



#34 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 10 September 2009 - 03:06 PM

Hello.

That looks good overall.

We need to get you Service Pack 3 installed however. This can be obtained via Windows Updates...

Update Windows Installation

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.

Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Was there any problems while doing any of the updates, if there was any updates please specify in your next reply.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply.

Thanks.

With Regards,
Extremeboy
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#35 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 12 September 2009 - 07:26 AM

Hello EB,

I have all of my updates and I turned the automatic updater on, so I will now get updates whenever I need them automatically and will stay current. There were no problems whatsoever with the updates. I also ran DDS again. The logs are attached below.

Thanks,
Diamonds415

Attached Files



#36 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 12 September 2009 - 11:18 AM

Hello.

Great job! Well done. The logs look clean. :)

We can cleanup our mess and wrap up now. :)

Please follow/read the steps below to remove the tools we used and for some more information. :)

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :cool: :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :)


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#37 fahari06

fahari06
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 12 September 2009 - 04:28 PM

Thank you so much EB. The computer is running much better. If I ever have another seemingly undefeatable malware problem, I will know who to come to. :thumbup2:

Thanks Again,

Fahari06 and Diamonds415

#38 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 12 September 2009 - 04:50 PM

You're very welcome. :thumbup2:

Glad I was able to help. Happy surfing again and take care in the future.

---

Since the problem appears to be resolved, this topic is now Closed. Glad we could help :)
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users