Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/Spyware removal help, please!


  • This topic is locked This topic is locked
2 replies to this topic

#1 Porch

Porch

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 31 December 2008 - 05:11 PM

Yikes! Worst thing i've run into yet!

It's one thing when you can tell what you've got....

Symptoms are:
-Web page redirects
-Anti-spyware programs will not install/update (malwarebytes/spybot/adaware)

Have found:
-Antivirus 2008 (360?)
-Adzgalore games
And at least partially removed both. I also found and uninstalled limewire, which i assume was not knowingly installed.

So far i have updated NOD32 and done a full scan (found Antivirus 2008 and removed it). Someone appears to have removed Spybot/Ad-Aware from the computer so i re-installed both. Ad-Aware will run, but would not update. I manually updated it, scanned, and it found nothing. Spybot was able to install, but will not display when run (though it loads into memory). I downloaded Malwarebytes Anti-Malware and it won't even install. Super Anti Spyware is the same, no install. Safe mode doesn't change anything.

I ran a HJT scan and nothing horribly obvious came up, though i cleaned up a fewthings.

Most potentially useful websites (like this one) won't display, and links redirect me to junk sites.
Even though i realize it says not to run "ComboFix", i tried anyways...it loads into memory but does nothing, just like all the other programs.

Any help would be greatly appreciated! I am fixing this computer for a friend, so i have no idea what she did to deserve this...
Thanks,
Chris



DDS (Version 1.1.0) - NTFSx86
Run by Liz Sanchez at 14:54:30.14 on Wed 12/31/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.692 [GMT -7:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Liz Sanchez\Application Data\U3\000016A29875EB9F\LaunchPad.exe
C:\Documents and Settings\Liz Sanchez\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wildblue.net
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lizsan~1\applic~1\mozilla\firefox\profiles\lqzx3gl8.default\
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
c:\program files\mozilla firefox\defaults\pref\wildblue.js - pref("network.http.max-connections-per-server", 10);
c:\program files\mozilla firefox\defaults\pref\wildblue.js - pref("network.http.max-persistent-connections-per-server", 4);
c:\program files\mozilla firefox\defaults\pref\wildblue.js - pref("network.http.pipelining", true);
c:\program files\mozilla firefox\defaults\pref\wildblue.js - pref("network.http.proxy.pipelining", true);
c:\program files\mozilla firefox\defaults\pref\wildblue.js - pref("network.proxy.autoconfig_url", "http://wpad.wildblue.com/wpad.dat");
c:\program files\mozilla firefox\defaults\pref\wildblue.js - pref("network.proxy.type", 2);

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-31 15424]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 NOD32krn;NOD32 Kernel Service;"c:\program files\eset\nod32krn.exe" [2008-12-31 552064]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2007-3-9 31872]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-19 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-19 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-19 23680]

=============== Created Last 30 ================

2008-12-31 13:34 512,096 a------- c:\windows\system32\drivers\amon.sys
2008-12-31 13:34 298,104 a------- c:\windows\system32\imon.dll
2008-12-31 13:34 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2008-12-31 13:13 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-31 13:13 <DIR> --d----- c:\docume~1\lizsan~1\applic~1\SUPERAntiSpyware.com
2008-12-31 12:43 <DIR> --d----- c:\program files\Lavasoft
2008-12-31 12:12 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-17 12:53 338,432 a------- c:\windows\system32\winsrc.dll
2008-12-17 12:53 122,368 a------- c:\windows\system32\ieupdates.exe

==================== Find3M ====================

2008-11-19 08:40 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2008-11-19 08:40 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-11-19 08:40 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-11-19 08:40 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-11-19 08:40 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-23 05:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 13:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 03:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-03 11:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 14:55:30.28 ===============

BC AdBot (Login to Remove)

 


#2 Porch

Porch
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 02 January 2009 - 02:04 PM

Thanks anyways, guys! I've decided i'm more comfortable reformatting/reinstalling in this instance.

Reading my post here, it appears she has the Yoog crap installed too, so that brings the total identifiable spyware count to 3...i'm just not going to chance it. Thanks again!

Moderator please close this post
~Chris

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 05 January 2009 - 09:56 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HijackThis Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users