Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet another overclick attack


  • This topic is locked This topic is locked
11 replies to this topic

#1 qaman10

qaman10

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 26 June 2009 - 01:50 PM

Like many people on this forum, I have a problem with overclick.cn attempting to redirect my searches. I am running ESET AV and have also done a Malwarebytes scan - neither of these have shown anything untoward. I am running NoScript in Firefox, so the redirects don't actually work. However, the cut/paste URL workaraound is annoying to say the least. Hopefully someone can help, thanks in advance.

DDS file

DDS (Ver_09-06-26.01) - NTFSx86
Run by Simon at 19:23:36.85 on 26/06/2009
Internet Explorer: 7.0.6000.16386 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.44.1033.18.2559.1662 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\sdra64.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\soundman.exe
C:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Simon\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UVS11 Preload] c:\program files\ulead systems\ulead videostudio 11\uvPL.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatchTray11.exe"
mRun: [CPMonitor] "c:\program files\roxio creator 2009\5.0\CPMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\simon\appdata\roaming\micros~1\windows\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Clean Traces
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\simon\appdata\roaming\mozilla\firefox\profiles\zc35uhi6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\users\simon\appdata\roaming\idm\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npfd.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2007-7-3 131616]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2009-6-19 62464]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-5-30 3032360]
R2 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [2009-6-10 37376]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-5-30 15144]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\roxio creator 2009\digital home 11\RoxioUpnpService11.exe [2008-8-14 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxLiveShare11.exe [2008-8-14 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatch11.exe [2008-8-14 170480]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\roxio creator 2009\digital home 11\RoxioUPnPRenderer11.exe [2008-8-14 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxMediaDB11.exe [2008-8-14 1124848]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

=============== Created Last 30 ================

2009-06-25 21:44 <DIR> --d----- c:\program files\GetData
2009-06-23 21:24 <DIR> --d----- C:\VundoFix Backups
2009-06-23 13:42 <DIR> --dsh--- c:\windows\system32\lowsec
2009-06-22 21:54 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-22 21:54 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-22 21:54 <DIR> --d----- c:\users\simon\appdata\roaming\SUPERAntiSpyware.com
2009-06-22 21:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-22 21:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-22 20:04 <DIR> --d----- c:\users\simon\appdata\roaming\Malwarebytes
2009-06-22 20:04 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 20:04 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 20:04 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-22 20:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 20:04 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-19 12:05 <DIR> --d----- c:\users\simon\appdata\roaming\IDM
2009-06-19 12:05 <DIR> --d----- c:\users\simon\appdata\roaming\DMCache
2009-06-19 12:05 <DIR> --d----- c:\program files\Internet Download Manager
2009-06-19 08:10 <DIR> --d----- c:\program files\Belkin
2009-06-19 08:10 62,464 a------- c:\windows\system32\drivers\sxuptp.sys
2009-06-18 21:16 <DIR> --d----- c:\programdata\SpeedBit
2009-06-18 21:16 <DIR> --d----- c:\progra~2\SpeedBit
2009-06-18 21:16 479,298 a------- c:\windows\system32\wbocx.ocx
2009-06-18 21:16 172,032 a------- c:\windows\system32\AniGIF.ocx
2009-06-18 21:16 50,688 a------- c:\windows\system32\wbhelp2.dll
2009-06-18 21:16 <DIR> --d----- c:\program files\DAP
2009-06-18 20:15 <DIR> --d----- c:\windows\Desktop
2009-06-18 19:36 <DIR> --d----- C:\Downloads
2009-06-18 19:35 <DIR> --d----- c:\users\simon\appdata\roaming\FlashGet
2009-06-18 19:34 <DIR> --d----- c:\program files\FlashGet
2009-06-18 06:47 78 a------- C:\links.dat
2009-06-18 06:47 2,976 a------- C:\rapget.ini
2009-06-14 15:17 <DIR> --d----- c:\programdata\WinMount
2009-06-14 15:17 <DIR> --d----- c:\progra~2\WinMount
2009-06-13 09:43 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-13 09:42 <DIR> --d----- c:\programdata\McAfee
2009-06-11 20:04 <DIR> --d----- c:\programdata\SlySoft
2009-06-11 20:03 <DIR> --d----- c:\program files\SlySoft
2009-06-11 19:56 <DIR> --d----- c:\program files\Wondershare
2009-06-10 18:48 <DIR> --d----- c:\users\simon\appdata\roaming\WinMount
2009-06-10 18:47 37,376 a------- c:\windows\system32\drivers\WMDrive.sys
2009-06-10 18:47 <DIR> --d----- c:\program files\WinMount3
2009-06-10 06:25 <DIR> a-d----- c:\programdata\TEMP
2009-06-10 06:24 <DIR> --d----- c:\program files\AKVIS
2009-06-03 07:15 <DIR> --d----- c:\program files\Roxio
2009-06-03 07:06 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-06-02 22:28 <DIR> --d----- c:\users\simon\appdata\roaming\BSplayer PRO
2009-06-02 22:28 <DIR> --d----- c:\program files\Webteh
2009-06-02 19:14 <DIR> --d----- c:\program files\Wise Registry Cleaner
2009-06-02 18:46 356,352 a------- c:\windows\system32\nvusmb.exe
2009-06-02 18:46 789 -------- c:\windows\system32\nvsmb.nvu
2009-06-02 18:20 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-06-02 18:05 <DIR> --d----- c:\program files\GIGABYTE
2009-06-02 18:04 16,608 a------- c:\windows\gdrv.sys
2009-06-01 22:49 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-06-01 22:20 <DIR> --d----- c:\programdata\NVIDIA
2009-06-01 22:14 356,352 -------- c:\windows\system32\NVUNINST.EXE
2009-06-01 22:14 <DIR> --d----- C:\NVIDIA
2009-06-01 18:54 <DIR> --d----- c:\program files\common files\InterVideo
2009-06-01 18:54 <DIR> --d----- c:\programdata\InterVideo
2009-06-01 18:54 <DIR> --d----- c:\progra~2\InterVideo
2009-06-01 18:54 210,456 -------- c:\windows\system32\IVIresizeW7.dll
2009-06-01 18:54 206,360 -------- c:\windows\system32\IVIresizeA6.dll
2009-06-01 18:54 198,168 -------- c:\windows\system32\IVIresizeP6.dll
2009-06-01 18:54 198,168 -------- c:\windows\system32\IVIresizeM6.dll
2009-06-01 18:54 194,072 -------- c:\windows\system32\IVIresizePX.dll
2009-06-01 18:54 26,136 -------- c:\windows\system32\IVIresize.dll
2009-06-01 18:53 <DIR> --d----- c:\program files\Windows Media Components
2009-06-01 18:52 <DIR> --d----- c:\programdata\Ulead Systems
2009-06-01 18:52 <DIR> --d----- c:\program files\common files\Ulead Systems
2009-06-01 18:52 <DIR> --d----- c:\program files\Ulead Systems
2009-06-01 18:38 16,384 a------- C:\AccuSplitGraph.grf
2009-06-01 18:36 <DIR> --d----- C:\lame
2009-05-31 22:30 <DIR> --d----- c:\programdata\winLAME
2009-05-31 22:30 <DIR> --d----- c:\progra~2\winLAME
2009-05-31 22:30 <DIR> --d----- c:\program files\winLAME
2009-05-31 21:03 <DIR> --d----- C:\Amadis Video Converter Output
2009-05-31 20:59 <DIR> --d----- C:\AmadisTMP
2009-05-31 20:57 <DIR> --d----- c:\program files\Amadis Software
2009-05-31 15:13 <DIR> --d----- c:\windows\pss
2009-05-31 13:38 63 a------- c:\windows\system\SysSD.dll
2009-05-31 11:45 <DIR> --d----- c:\program files\DivX
2009-05-31 11:45 <DIR> --d----- c:\program files\common files\DivX Shared
2009-05-30 17:16 <DIR> --d----- c:\programdata\AppData
2009-05-30 17:16 <DIR> --d----- c:\progra~2\AppData
2009-05-30 17:15 <DIR> --d----- c:\users\simon\appdata\roaming\WTablet
2009-05-30 17:15 1,532,082 -------- c:\windows\system32\PenTablet.znc
2009-05-30 17:15 3,708,200 -------- c:\windows\system32\PenTablet.cpl
2009-05-30 17:14 11,440 -------- c:\windows\system32\drivers\WacomVKHid.sys
2009-05-30 17:13 13,480 -------- c:\windows\system32\drivers\wacomvhid.sys
2009-05-30 17:13 11,312 -------- c:\windows\system32\drivers\wacommousefilter.sys
2009-05-30 17:13 15,144 -------- c:\windows\system32\drivers\wacmoumonitor.sys
2009-05-30 17:13 <DIR> --d----- c:\windows\system32\WTablet
2009-05-30 17:13 181,544 -------- c:\windows\system32\Wintab32.dll
2009-05-30 17:13 128,296 -------- c:\windows\system32\Pen_Tablet.dll
2009-05-30 17:13 3,032,360 -------- c:\windows\system32\Pen_Tablet.exe
2009-05-30 17:13 <DIR> --d----- c:\program files\Tablet
2009-05-30 17:00 319 -------- c:\windows\system32\pentabletdefaults.xml
2009-05-30 17:00 <DIR> --d----- c:\program files\PenLauncher

==================== Find3M ====================

2009-06-26 19:05 0 a------- C:\sccfg.sys
2009-06-19 08:10 86,016 a------- c:\windows\inf\infstrng.dat
2009-06-19 08:10 86,016 a------- c:\windows\inf\infstor.dat
2009-06-19 08:10 51,200 a------- c:\windows\inf\infpub.dat
2009-05-30 16:32 152,713,203 a------- c:\windows\DUMP3894.tmp
2009-05-26 22:56 104,384 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-05-25 13:01 89,256 a------- c:\windows\system32\ElbyCDIO.dll
2009-05-19 09:53 87,608 a------- c:\users\simon\appdata\roaming\inst.exe
2009-05-19 09:53 47,360 a------- c:\users\simon\appdata\roaming\pcouffin.sys
2009-05-19 09:53 47,360 -------- c:\windows\system32\drivers\pcouffin.sys
2009-05-18 17:45 53,248 -------- c:\windows\system32\suppdll.dll
2009-05-18 17:45 35,363 -------- c:\windows\system32\windrvNT.sys
2006-12-21 22:18 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 13:49 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-11-22 15:58 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:25:30.16 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:53 PM

Posted 30 June 2009 - 05:23 AM

Hello qaman10,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 qaman10

qaman10
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 30 June 2009 - 01:34 PM

Thanks for getting back to me. Yes I still cannot get rid of Overclick.cn. Latest Hijack this file attached

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:53 PM

Posted 30 June 2009 - 04:16 PM

Hello,

You're welcome. :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 qaman10

qaman10
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 01 July 2009 - 02:14 AM

Tea

Thanks. Combofix log attached. It automatically removed some files, including a SKYNET rootkit. I don't know if it is connected to what ever has infected this machine, but the Vista DNS manager has stopped working and I have to manually flush the DNS cache to access some sites, including Bleeping Computer. Looks like the redirect has gone though

Just so you know, I am based in the UK, so there will always be a slight lag in answering your messages due to the time difference between here and Texas

Qaman

Attached Files

  • Attached File  log.txt   25.25KB   5 downloads


#6 qaman10

qaman10
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 01 July 2009 - 02:17 AM

Ooops, forgot the hijackthis log.

Attached

Attached Files



#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:53 PM

Posted 01 July 2009 - 02:55 AM

Hello,

I don't know about that. :thumbup2: I keep some funny hours. It's almost 3 am for me here. :)

Looking better. Please be sure MBAM is updated and have a scan with it for me. Post the report in your reply, if there is anything to post.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 qaman10

qaman10
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 01 July 2009 - 04:35 PM

Tea

Looks like I am clear now. MBAM log attached. It found SKynet in the Combofix quarantine directory and a folder called Lowsec in System32. Both successfully removed

Lowsec is showing up as "Stolen.Data". Is this a concern?

I must thank you for everything you have done. In the 20 odd years I have been playing with PCs, this is the first time I have had to ask for help and I am really grateful for your support. Donation winging its way to you so you can keep up the good work

Qaman

Attached Files



#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:53 PM

Posted 01 July 2009 - 07:02 PM

Hello,

Thank you so much. :thumbup2:

As with any serious malware infection these days, if you do any online business/transactions, it's always best to change any passwords and keep an eye on any accounts for a bit afterwards. Better to be safe than sorry!

You said this earlier :

.....but the Vista DNS manager has stopped working.....

Is this working again as well?

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 qaman10

qaman10
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 02 July 2009 - 01:13 AM

Tea

The DNS manager appears to have recovered but I will keep an eye on it.

Thanks again for all you excellent help

Qaman

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:53 PM

Posted 02 July 2009 - 01:38 AM

Excellent to know, and you're most welcome. :thumbup2:

Great tips and info-----> http://mvps.org/winhelp2002/unwanted.htm

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:53 PM

Posted 06 July 2009 - 07:00 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users