Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Hijacker and Rogue Adware - spyware finds them but fails to remove them, please help!


  • This topic is locked This topic is locked
2 replies to this topic

#1 hackedoffbyadware

hackedoffbyadware

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 15 December 2009 - 02:21 PM

I have a search hijacker on my pc and rogue adware. I've been through my system twice with full virus checks that revealed nothing. I've used 3 different spyware aps, AntiMalware that detected nothing, Spybot that detected nothing and StopZilla that found them, said it had deleted them, rebooted but now they are back! Please help, I'll buy you a pint I promise if you solve this for me, am at the end of my tether.


DDS (Ver_09-12-01.01) - FAT32x86
Run by Lisa Culshaw at 19:56:43.67 on Tue 12/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.479.93 [GMT 1:00]

AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:Program FilesFichiers communsiS3Anti-SpywareSZServer.exe
SVCHOST.EXE
C:WINDOWSSystem32svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32LEXPPS.EXE
C:WINDOWSsystem32spoolsv.exe
c:program filesfichiers communslogitechlvmvfmLVPrcSrv.exe
SVCHOST.EXE
C:Program FilesFichiers communsAOLACSAOLAcsd.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesPanda SecurityPanda Cloud AntivirusPSANHost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSwanmpsvc.exe
C:WINDOWSExplorer.EXE
C:WINDOWSAGRSMMSG.exe
C:WINDOWSSOUNDMAN.EXE
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:Program FilesLexmark X1100 Serieslxbkbmgr.exe
C:WINDOWSsystem32LVCOMSX.EXE
C:Program FilesLogitechVideoCameraAssistant.exe
C:Program FilesLexmark X1100 Serieslxbkbmon.exe
C:Program FilesFichiers communsAOL1162928054eeAOLSoftware.exe
C:Program FilesJavajre6binjusched.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesiFingeriFinger.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesSTOPzilla!STOPzilla.exe
C:Documents and SettingsLisa CulshawBureaudds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
mURLSearchHooks: SrchHook Class: {d3f669eb-57ce-4f45-8fbd-e245cbb46366} - c:program filesstopzilla!toolbarSZIESearchHook.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesfichiers communsadobeacrobatactivexAcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:program filesstopzilla!toolbarSZSG.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filesfichiers communsadobeacrobatactivexAcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:program filesrealrealplayerrpbrowserrecordplugin.dll
BHO: iFinger plugin / Browser helper object: {a114d52b-870c-4f15-8021-b6d7f91a054b} - c:progra~1ifingerpluginsIE.ifp
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.3572swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:program filesstopzilla!SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:program filesstopzilla!toolbarSZSG.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:program filescyberlinkpowerdvdPDVDServ.exe"
mRun: [ntiMUI] c:program filesnewtech infosystemsnti cd & dvd-maker 7ntiMUI.exe
mRun: [<NO NAME>]
mRun: [Lexmark X1100 Series] "c:program fileslexmark x1100 serieslxbkbmgr.exe"
mRun: [LVCOMSX] c:windowssystem32LVCOMSX.EXE
mRun: [LogitechCameraAssistant] c:program fileslogitechvideoCameraAssistant.exe
mRun: [AOLDialer] c:program filesfichiers communsaolacsAOLDial.exe
mRun: [HostManager] c:program filesfichiers communsaol1162928054eeAOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
StartupFolder: c:docume~1alluse~1menudé~1progra~1démarr~1aol90t~1.lnk - c:program filesaol 9.0aaoltray.exe
StartupFolder: c:docume~1alluse~1menudé~1progra~1démarr~1micros~1.lnk - c:program filesmicrosoft officeofficeOSA9.EXE
StartupFolder: c:docume~1alluse~1menudé~1progra~1démarr~1ifinge~1.lnk - c:program filesifingeriFinger.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {936E5D60-596C-11D3-BB96-00600816DF55} - {0CBD5120-990B-11D3-8ABD-00C04FA95EE0} - c:windowssystem32SHDOCVW.DLL
LSP: c:program filesfichiers communsis3anti-spywareiS3lsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1244333890_0796e926739a054e7f88ca3a9bb2dd45&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader_uni.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:windowssystem32driverspavboot.sys [2009-12-8 28552]
R0 szkg5;szkg5;c:windowssystem32driversSZKG.sys [2009-5-12 61328]
R1 PSINKNC;PSINKNC;c:windowssystem32driversPSINKNC.sys [2009-10-13 114312]
R2 NanoServiceMain;NanoServiceMain;c:program filespanda securitypanda cloud antivirusPSANHost.exe [2009-10-30 136448]
R2 PSINAflt;PSINAflt;c:windowssystem32driversPSINAflt.sys [2009-10-30 146952]
R2 PSINFile;PSINFile;c:windowssystem32driversPSINFile.sys [2009-10-13 95880]
R2 PSINProc;PSINProc;c:windowssystem32driversPSINProc.sys [2009-10-13 101512]
S0 is3srv;is3srv;c:windowssystem32driversis3srv.sys [2009-5-12 61328]
S3 JL2005;JL2005A Toy Camera;c:windowssystem32driverstoywdm.sys --> c:windowssystem32driverstoywdm.sys [?]
S3 PALLADIA;Palladia 300/400 Usb Adsl Modem;c:windowssystem32driversusbiad.sys [2005-9-9 31547]

=============== Created Last 30 ================

2009-12-15 18:30:54 240 ----a-w- c:windowssystem32driverskgpcpy.cfg
2009-12-15 16:16:35 0 d-----w- c:program filesSTOPzilla!
2009-12-15 11:39:24 0 d-----w- c:docume~1lisacu~1applic~1Panda Security
2009-12-15 11:35:23 264 ----a-w- c:windowssystem32PSUNCpl.dat
2009-12-15 11:34:45 0 d-----w- c:docume~1alluse~1applic~1Panda Security
2009-12-09 21:34:57 56816 ----a-w- c:windowssystem32driversavgntflt.sys
2009-12-09 21:22:32 0 d-----w- C:WINSSLog
2009-12-08 09:16:31 28552 ----a-w- c:windowssystem32driverspavboot.sys
2009-12-08 09:16:20 0 d-----w- c:program filesPanda Security
2009-12-08 08:16:06 0 d-----w- c:program filesSpybot - Search & Destroy
2009-12-08 08:16:06 0 d-----w- c:docume~1alluse~1applic~1Spybot - Search & Destroy
2009-12-07 19:16:53 0 d-----w- c:program filesCCleaner
2009-12-05 15:29:52 1409 ----a-w- c:windowssystem32tmpE3C27.FOT
2009-12-05 15:29:52 1409 ----a-w- c:windowssystem32tmpD5C27.FOT
2009-12-05 15:29:52 1409 ----a-w- c:windowssystem32tmpC8C27.FOT
2009-12-05 15:29:52 1409 ----a-w- c:windowssystem32tmpBAC27.FOT
2009-12-05 15:29:52 1409 ----a-w- c:windowssystem32tmpACC27.FOT
2009-12-05 15:29:52 1409 ----a-w- c:windowssystem32tmp9FC27.FOT
2009-12-05 15:29:52 1409 ----a-w- c:windowssystem32tmp97A27.FOT
2009-12-04 14:53:00 2 ----a-w- c:windowsmsoffice.ini
2009-12-03 07:41:01 0 d-----w- c:program filesfichiers communsxing shared
2009-12-02 10:45:18 195456 ------w- c:windowssystem32MpSigStub.exe

==================== Find3M ====================

2009-12-09 09:25:42 46772 ----a-w- c:windowssystem32perfc00C.dat
2009-12-09 09:25:42 364414 ----a-w- c:windowssystem32perfh00C.dat
2009-10-30 15:18:02 146952 ----a-w- c:windowssystem32driversPSINAflt.sys
2009-10-28 14:40:48 173056 ------w- c:windowssystem32dllcacheie4uinit.exe
2009-10-27 09:08:16 545424 ----a-r- c:windowssystem32SZComp5.dll
2009-10-27 09:08:14 402064 ----a-r- c:windowssystem32SZBase5.dll
2009-10-27 08:59:38 17408 ----a-r- c:windowssystem32SZIO5.dll
2009-10-21 05:39:44 75776 ----a-w- c:windowssystem32strmfilt.dll
2009-10-21 05:39:44 75776 ------w- c:windowssystem32dllcachestrmfilt.dll
2009-10-21 05:39:44 25088 ----a-w- c:windowssystem32httpapi.dll
2009-10-21 05:39:44 25088 ------w- c:windowssystem32dllcachehttpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:windowssystem32drivershttp.sys
2009-10-20 16:20:16 265728 ------w- c:windowssystem32dllcachehttp.sys
2009-10-20 12:40:34 126976 ----a-r- c:windowssystem32IS3HTUI5.dll
2009-10-20 12:40:24 393216 ----a-r- c:windowssystem32IS3DBA5.dll
2009-10-20 12:38:16 385024 ----a-r- c:windowssystem32IS3UI5.dll
2009-10-20 12:37:58 61440 ----a-r- c:windowssystem32IS3Hks5.dll
2009-10-20 12:37:40 23040 ----a-r- c:windowssystem32IS3XDat5.dll
2009-10-20 12:35:40 225280 ----a-r- c:windowssystem32IS3Win325.dll
2009-10-20 12:35:18 94208 ----a-r- c:windowssystem32IS3Inet5.dll
2009-10-20 12:35:04 90112 ----a-r- c:windowssystem32IS3Svc5.dll
2009-10-20 12:31:52 729088 ----a-r- c:windowssystem32IS3Base5.dll
2009-10-13 10:33:38 271360 ----a-w- c:windowssystem32oakley.dll
2009-10-13 10:33:38 271360 ------w- c:windowssystem32dllcacheoakley.dll
2009-10-12 13:39:22 79872 ----a-w- c:windowssystem32raschap.dll
2009-10-12 13:39:22 79872 ------w- c:windowssystem32dllcacheraschap.dll
2009-10-12 13:39:22 150528 ----a-w- c:windowssystem32rastls.dll
2009-10-12 13:39:22 150528 ------w- c:windowssystem32dllcacherastls.dll
2009-05-27 11:55:52 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoriquehistory.ie5mshist012009052720090528index.dat

============= FINISH: 19:57:54.20 ===============

sorry, forgot the attachments.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 17 December 2009 - 11:43 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:34 PM

Posted 27 December 2009 - 05:12 PM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:34 PM

Posted 31 December 2009 - 01:01 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users