Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Spyware


  • This topic is locked This topic is locked
2 replies to this topic

#1 guavapure

guavapure

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 21 March 2009 - 09:20 PM

Hello. This is a repost. My post was moved to the Misplaced Logs SubForum. I read all of the instructions, but apparently posted in the wrong forum. Not sure how I did that. Anyhow, my apologies.

I am receiving pop up windows that say "Contextual ads by Addestination". This has been going on for about 1-2 weeks. My free version of Super AntiSpyware does not detect this spyware. I just tried Maleware Bytes' Antimalware Program and it found 4 problems - I had them removed, but when I rebooted my computer, the spyware is still there. I am staring at the "Contextual ads by Addestination" box as we speak. I can not locate my log from this recent scan, but I recall that one of the threats was named "Trojan", one was called "Vundo", and then one of them said something like "yoog". I can't recall the 4th, it may have also said "Trojan" and/or something else.

As an FYI, I caught some type of the Vundo virus about 1-2 months ago (I think it was "Vundo.32.Trojan" or something like that). I had tried many spyware programs (Adaware, Spybot Search and Destroy, Maleware's Antimaleware) and was unsuccessful in removing it until I had downloaded and run Super AntiSpyware. Unfortunately, Super AntiSpyware is not able to help me this time. That old virus had turned my desktop blue (it removed my son's wallpaper picture) and had a "Warning! You are infected with Spyware!" note across my desktop. This current virus is not doing that. Once in a while, I will get a popup telling me that I have spyware and that I should click "ok" to do a scan check. When I click on the "x" to close it out, it brings up another window trying to get me to say "ok", without an "x" or cancel option.

Here are my logs. Thanks so much for the help. I really hope I'm in the right forum this time!

DDS (Ver_09-03-16.01) - NTFSx86
Run by phil at 21:56:11.59 on Sat 03/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.455 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\phil.NLC08\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {0f0e761f-bacb-453e-b90d-22f8a6ed01fd} - c:\windows\system32\cbXRJCuS.dll
BHO: addestination: {1065a342-52fa-9ce0-b93d-290a954d3a83} - c:\windows\system32\nsf5E.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157633354953
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {E8317C23-B17C-4641-9211-186AAFA067B4} = 192.168.1.6
Filter: text/html - {fe92126c-2101-4f04-987d-c9c1cb83c95c} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: wxvault.dll qocheb.dll cwykgz.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXRJCuS

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-3-19 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-3-19 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-3-19 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090320.003\NAVENG.SYS [2009-3-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090320.003\NAVEX15.SYS [2009-3-20 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S2 a2AntiMalware;a-squared Anti-Malware Service;"c:\program files\a-squared anti-malware\a2service.exe" --> c:\program files\a-squared anti-malware\a2service.exe [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec antivirus\smclu\setup\smcinst.exe --> c:\program files\symantec antivirus\smclu\setup\smcinst.exe [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-03-19 14:55 107,848 a------- c:\windows\system32\SymVPN.dll
2009-03-19 14:55 319,792 a------- c:\windows\system32\drivers\srtspl.sys
2009-03-19 14:55 49,480 a------- c:\windows\system32\FwsVpn.dll
2009-03-19 14:55 43,824 a------- c:\windows\system32\drivers\srtspx.sys
2009-03-19 14:55 8,390 a------- c:\windows\system32\drivers\srtspx.cat
2009-03-19 14:55 1,421 a------- c:\windows\system32\drivers\srtspx.inf
2009-03-19 14:55 280,112 a------- c:\windows\system32\drivers\srtsp.sys
2009-03-19 14:55 8,390 a------- c:\windows\system32\drivers\srtspl.cat
2009-03-19 14:55 8,386 a------- c:\windows\system32\drivers\srtsp.cat
2009-03-19 14:55 1,430 a------- c:\windows\system32\drivers\srtspl.inf
2009-03-19 14:55 1,415 a------- c:\windows\system32\drivers\srtsp.inf
2009-03-10 10:03 85,590 a------- c:\windows\system32\2a000105-8752-2a30-6fd6-37ad4be737f1.exe
2009-03-10 10:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-03 08:34 626,176 a------- c:\windows\system32\nsf5E.dll
2009-02-28 14:40 <DIR> --d----- c:\docume~1\phil~1.nlc\applic~1\iConcertCal

==================== Find3M ====================

2009-03-20 09:04 80,760 a------- c:\windows\system32\nvModes.dat
2009-03-19 15:01 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-19 15:01 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-19 15:01 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-19 15:01 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 11:03 437,771 a--sh--- c:\windows\system32\SuCJRXbc.ini2
2009-01-15 15:41 625,032 a------- c:\windows\system32\SymNeti.dll
2009-01-15 15:41 242,056 a------- c:\windows\system32\SymRedir.dll
2009-01-15 15:41 89,088 a------- c:\windows\system32\atl71.dll
2006-12-04 10:52 56,912 a------- c:\documents and settings\phil.nlc08\g2mdlhlpx.exe
2008-08-27 23:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 21:56:52.01 ===============

Attached Files


Edited by guavapure, 21 March 2009 - 09:26 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:17 PM

Posted 28 March 2009 - 11:27 PM

Hello guavapure,

Sorry for the delay. We have many logs backed up and only a few helpers.

If you still need help, then please update and run MalwareBytes and post its log.

Also, run DDS so I can see if anything has changed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:17 PM

Posted 11 April 2009 - 09:52 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users