Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Browser Tabs Opening


  • This topic is locked This topic is locked
6 replies to this topic

#1 Viper H

Viper H

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 13 January 2011 - 09:32 AM

Hello,

My mother's computer seems to have been hijacked by something or other, and random tabs keep opening in Firefox windows to various shopping websites and occasionally pornographic sites. Also, occasionally, search results from google will redirect to these random sites, rather than going through to the actual search result. I only have one URL example of these websites right now, as the problem is intermittent, but it is "iphonepuma.com".

The computer has previously been infected with one of these fake spyware removal program malwares, which creates popups telling you that you're infected and trying to get you to buy them. I managed to remove the majority of this "software" however the above problem still lingers.

I am a computer engineer, and have been removing spyware, malware and other malicions programs from computers for the last 10 years, but this one has stumped me.

I have run AdAware, Spybot S&D, Malwarebytes AntiMalware, SUPERAntiSpyware and Avast Anti-Virus, both quick scanning and deep scanning, and still cannot get rid of this problem she is having. I hope that someone from here can take a look at the various logs I have generated in a hope that we can cure this problem.

Please see my DDS log below. Note that I was unable to do a proper GMER scan as it does not seem to run properly on Windows 7 64-bit.

DDS Log:

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Sally at 13:59:08.11 on 13/01/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3999.2777 [GMT 0:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {DAAC1C79-1A96-9DFE-FC4C-6940214C33E6}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportLaunService64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Sally\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Adobe PDF Link Helper: {3ae41cb4-7dd8-15a6-32fe-4ea8063150cc} - C:\Windows\SysWow64\EEncDec.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - C:\Program Files (x86)\SUPERAntiSpyware\SASSEH.DLL
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Sally\AppData\Roaming\Mozilla\Firefox\Profiles\ohs1cp6i.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2010-12-25 69152]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-11-21 121936]
R1 RapportKE64;RapportKE64;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportKE64.sys [2010-10-3 63472]
R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportPG64.sys [2010-10-3 56816]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-14 59904]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-11-21 20048]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-11-21 61008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-1 40384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-12-3 1402272]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-1-1 363344]
R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-11-21 1153368]
R2 TeamViewer5;TeamViewer 5;C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-10-15 2002728]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-2-19 227896]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2010-12-3 17440]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2010-10-12 24152]
R3 RapportLaunService;Rapport Launching Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportLaunService64.exe [2010-10-3 526320]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S1 SASDIFSV;SASDIFSV;C:\Program Files (x86)\SUPERAntiSpyware\sasdifsv.sys [2010-1-5 9968]
S1 SASKUTIL;SASKUTIL;C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.SYS [2010-1-5 74480]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-5 136176]
S3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-1 40384]
S3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-1 40384]
S3 SASENUM;SASENUM;C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2011-01-13 02:54:28 -------- d-----w- C:\Users\Sally\AppData\Roaming\ElementalsTheMagicKey
2011-01-12 17:30:53 -------- d-----w- C:\Users\Sally\AppData\Roaming\Orneon
2011-01-12 13:24:24 -------- d-----w- C:\Program Files (x86)\Eternity
2011-01-12 13:22:37 -------- d-----w- C:\Program Files (x86)\Escape the Museum 2
2011-01-12 13:21:47 -------- d-----w- C:\Program Files (x86)\Escape the Museum
2011-01-12 13:19:50 -------- d-----w- C:\Program Files (x86)\Escape the Lost Kingdom
2011-01-12 13:18:40 -------- d-----w- C:\Program Files (x86)\Escape Rosecliff Island
2011-01-12 13:16:30 -------- d-----w- C:\Program Files (x86)\Enlightenus II - The Timeless Tower Collector's Edition
2011-01-12 13:14:33 -------- d-----w- C:\Program Files (x86)\Emerald City Confidential
2011-01-12 13:13:28 -------- d-----w- C:\Program Files (x86)\Elementals - The Magic Key
2011-01-12 13:05:09 -------- d-----w- C:\Program Files (x86)\Echoes of the Past - The Castle of Shadows Collectors Edition
2011-01-11 17:46:43 -------- d-----w- C:\Users\Sally\AppData\Local\Deadtime Stories
2011-01-11 01:09:55 -------- d-----w- C:\Users\Sally\AppData\Roaming\DarkParablesBriarRose_BFG
2011-01-10 21:14:31 -------- d-----w- C:\Users\Sally\AppData\Roaming\Column of the Maya
2011-01-10 21:14:31 -------- d-----w- C:\PROGRA~3\Column of the Maya
2011-01-09 19:22:32 -------- d-----w- C:\PROGRA~3\JoyBits
2011-01-09 17:49:15 -------- d-----w- C:\Program Files (x86)\Department 42 - The Mystery of the Nine
2011-01-09 17:36:19 -------- d-----w- C:\PROGRA~3\Deadtime Stories
2011-01-09 17:35:29 -------- d-----w- C:\Program Files (x86)\Deadtime Stories
2011-01-09 17:33:22 -------- d-----w- C:\Program Files (x86)\Dark Parables - Curse of Briar Rose Collector's Edition
2011-01-09 11:29:49 -------- d-----w- C:\Users\Sally\AppData\Roaming\JoyBits
2011-01-09 01:29:58 -------- d-----w- C:\Users\Sally\AppData\Local\Buried In Time
2011-01-09 01:29:57 -------- d-----w- C:\PROGRA~3\Buried In Time
2011-01-09 01:14:04 -------- d-----w- C:\Users\Sally\AppData\Local\FlyOrDie
2011-01-07 14:14:15 -------- d-----w- C:\Users\Sally\AppData\Roaming\Enlightenus
2011-01-06 15:24:58 -------- d-----w- C:\Users\Sally\AppData\Roaming\PoBros
2011-01-06 15:24:58 -------- d-----w- C:\PROGRA~3\PoBros
2011-01-05 17:19:43 -------- d-----w- C:\Users\Sally\AppData\Roaming\MAI
2011-01-05 17:17:26 -------- d-----w- C:\Program Files (x86)\Azada - Ancient Magic
2011-01-05 17:16:44 -------- d-----w- C:\Program Files (x86)\Azada
2011-01-05 17:15:18 -------- d-----w- C:\Program Files (x86)\Avenue Flo - Special Delivery
2011-01-05 17:12:55 -------- d-----w- C:\Program Files (x86)\Avenue Flo
2011-01-05 17:11:35 -------- d-----w- C:\Program Files (x86)\Autumn's Treasures - The Jade Coin
2011-01-05 17:03:55 -------- d-----w- C:\Program Files (x86)\Enlightenus
2011-01-04 18:45:35 -------- d-----w- C:\Users\Sally\AppData\Roaming\Anabel
2011-01-03 14:49:49 -------- d-----w- C:\Users\Sally\AppData\Roaming\TeleportGamesLtd
2011-01-03 14:49:49 -------- d-----w- C:\PROGRA~3\TeleportGamesLtd
2011-01-03 12:15:23 -------- d-----w- C:\Users\Sally\AppData\Roaming\BigFishv1002
2011-01-02 17:15:10 -------- d-----w- C:\Users\Sally\AppData\Roaming\KranX Productions
2011-01-02 17:13:43 -------- d-----w- C:\Program Files (x86)\Artifacts of the Past - Ancient Mysteries
2011-01-02 17:08:37 -------- d-----w- C:\Program Files (x86)\Annabel
2011-01-02 17:07:32 -------- d-----w- C:\Program Files (x86)\Anka
2011-01-02 17:02:17 -------- d-----w- C:\Program Files (x86)\Ancient Adventures - Gift of Zeus
2011-01-02 03:02:52 -------- d-----w- C:\Users\Sally\AppData\Roaming\Merscom
2011-01-02 03:02:52 -------- d-----w- C:\PROGRA~3\Merscom
2011-01-02 02:34:44 -------- d-----w- C:\Users\Sally\AppData\Roaming\Private Moon Studios
2011-01-02 02:30:21 -------- d-----w- C:\Users\Sally\AppData\Roaming\RobinsonCrusoe
2011-01-02 02:06:50 -------- d-----w- C:\Users\Sally\AppData\Roaming\ThreeDays2
2011-01-02 00:08:36 -------- d-----w- C:\Users\Sally\AppData\Roaming\Aveyond 3
2011-01-02 00:03:05 -------- d-----w- C:\Users\Sally\AppData\Roaming\Aveyond II
2011-01-01 15:53:21 -------- d-----w- C:\Users\Sally\AppData\Roaming\Aveyond I
2010-12-30 19:44:50 -------- d-----w- C:\Program Files (x86)\Awakening - The Dreamless Castle
2010-12-29 12:17:10 -------- d-----w- C:\Users\Sally\AppData\Roaming\Boomzap
2010-12-28 18:56:36 -------- d-----w- C:\Program Files (x86)\Dream Chronicles - The Chosen Child
2010-12-28 18:56:12 -------- d-----w- C:\Program Files (x86)\Dream Chronicles 2 - The Eternal Maze
2010-12-28 18:55:12 -------- d-----w- C:\Program Files (x86)\Dream Chronicles - The Book of Air Collector's Edition
2010-12-28 18:54:48 -------- d-----w- C:\Program Files (x86)\Dream Chronicles
2010-12-28 18:43:53 -------- d-----w- C:\Program Files (x86)\Awakening - Moonfell Wood
2010-12-28 18:41:12 -------- d-----w- C:\Program Files (x86)\Tamara the 13th
2010-12-28 02:14:14 -------- d-----w- C:\Users\Sally\AppData\Roaming\gogii
2010-12-28 02:14:14 -------- d-----w- C:\PROGRA~3\gogii
2010-12-28 01:48:21 -------- d-----w- C:\Users\Sally\AppData\Roaming\Home Sweet Home Christmas
2010-12-28 01:02:26 -------- d-----w- C:\PROGRA~3\Christmasville
2010-12-27 18:11:42 -------- d-----w- C:\Users\Sally\AppData\Roaming\Boolat Games
2010-12-26 14:45:23 -------- d-----w- C:\Users\Sally\AppData\Roaming\SpinTop Games
2010-12-26 14:21:59 -------- d-----w- C:\Users\Sally\AppData\Local\Color-Brush
2010-12-26 12:35:13 -------- d-----w- C:\PROGRA~3\Fenomen Games
2010-12-26 02:25:15 -------- d-----w- C:\Users\Sally\AppData\Roaming\Casual Arts
2010-12-26 02:25:15 -------- d-----w- C:\PROGRA~3\Casual Arts
2010-12-25 16:46:45 -------- d-----w- C:\Program Files\Defraggler
2010-12-25 16:40:14 -------- d-----w- C:\Program Files\CCleaner
2010-12-25 15:26:05 69152 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2010-12-25 15:26:00 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2010-12-25 15:25:07 -------- d-----w- C:\Users\Sally\AppData\Local\Sunbelt Software
2010-12-25 15:24:46 -------- dc-h--w- C:\PROGRA~3\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-25 15:24:32 -------- d-----w- C:\Program Files (x86)\Lavasoft
2010-12-25 02:15:16 -------- d-----w- C:\Program Files (x86)\Great Adventures - Xmas Edition
2010-12-16 02:04:46 -------- d-----w- C:\Program Files (x86)\Dream Day Wedding Bella Italia
2010-12-15 19:10:48 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2010-12-15 19:10:31 -------- d-----w- C:\Users\Sally\AppData\Roaming\SUPERAntiSpyware.com
2010-12-15 19:10:31 -------- d-----w- C:\Program Files (x86)\SUPERAntiSpyware
2010-12-15 19:08:26 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2010-12-15 18:53:26 -------- d-----w- C:\Program Files\Avago-HP
2010-12-15 18:53:21 373760 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\HP1006S.DLL
2010-12-15 18:53:04 64512 ----a-w- C:\Windows\System32\HPPLVS.dll
2010-12-15 18:53:03 403968 ----a-w- C:\Windows\System32\HP1006LM.DLL
2010-12-15 18:53:01 -------- d-----w- C:\Program Files\HP

==================== Find3M ====================

2010-12-31 20:06:36 38848 ----a-w- C:\Windows\avastSS.scr
2010-12-20 18:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-10-05 20:47:54 129024 ----a-w- C:\Program Files (x86)\Common Files\uninstall.exe

============= FINISH: 14:01:22.18 ===============


I have attached my DDS "Attach" file also.

I would appreciate any assistance you could offer in getting rid of this problem, as it is very frustrating to my mother.

Cheers.

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:21 PM

Posted 14 January 2011 - 03:37 AM

Hi,

I believe this may be the cause:

BHO: Adobe PDF Link Helper: {3ae41cb4-7dd8-15a6-32fe-4ea8063150cc} - C:\Windows\SysWow64\EEncDec.dll

I would love to have a sample of this one, so please navigate to C:\Windows\SysWow64\EEncDec.dll and upload this file here: http://www.bleepingcomputer.com/submit-malware.php?channel=8
This so I can add detection to malwarebytes for this one.
Then, after you have uploaded, rename the file to EEncDec.bad and reboot. Make sure it's actually renamed to EEncDec.bad and not to EEncDec.bad.dll, because the problem will persist otherwise.
Verify if after reboot the problem is gone. If so, you can delete the EEncDec.bad file.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Viper H

Viper H
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 16 January 2011 - 08:58 AM

Hi Miekiemoes,

Thanks for your response. I was finally able to get back to my mothers laptop today to try and find and remove the file you asked, however I've looked all over the Windows folder and can't actually find the DLL. Explorer is set to view hidden files and protected operating system files are visible too. It just doesn't seem to be there any more. So I'm afraid I have nothing to upload for you!

Is there anything else in my DDS log that this hijack could be? It's a most mysterious problem.

Thanks!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:21 PM

Posted 16 January 2011 - 02:34 PM

Hi,

The file should be there though, It's showing in your DDS log. In what folder did you look?
Anyway, do the following instead...

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\Windows\SysWow64\EEncDec.dll
C:\Windows\System32\EEncDec.dll


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Also, can you post a HijackThis log instead?

* Download HijackThis from here:
http://free.antivirus.com/hijackthis/
Then RIGHTCLICK hijackThis and select to run as administrator (important). Even better is to rightclick HijackThis.exe, select properties > compatibilty tab and check the box to run as administrator from there. Click apply/ok. That way, you don't have to do this everytime to run as administrator.
Then open HijackThis, click scan and post the log in your next reply. That way it will be easier to deal with this one (via HijackThis), and so I can also see/verify if that file is still present there.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Viper H

Viper H
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 16 January 2011 - 04:47 PM

Hiya,

I submitted the .cab file as requested, but I don't think it has anything in it anyway.

Here's my HT log file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:47:04, on 16/01/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Program Files (x86)\TeamViewer\Version5\TeamViewer.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\bfgclient\bfgclient.exe
C:\Program Files (x86)\WinRAR\WinRAR.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Link Helper - {3AE41CB4-7DD8-15A6-32FE-4EA8063150CC} - C:\Windows\SysWow64\EEncDec.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{890851C2-F743-4A21-AB79-2EDAEE4D7C4C}: NameServer = 192.168.0.1,194.168.4.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{890851C2-F743-4A21-AB79-2EDAEE4D7C4C}: NameServer = 192.168.0.1,194.168.4.100
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Rapport Launching Service (RapportLaunService) - Trusteer Ltd. - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportLaunService64.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8742 bytes


Thanks.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:21 PM

Posted 17 January 2011 - 01:39 AM

Hi,

It looks like the file is indeed missing in a meanwhile:

O2 - BHO: Adobe PDF Link Helper - {3AE41CB4-7DD8-15A6-32FE-4EA8063150CC} - C:\Windows\SysWow64\EEncDec.dll (file missing)

You can check above entry in HijackThis and click the fix checked button below.

Is the browser still opening tabs on its own?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:21 PM

Posted 25 January 2011 - 08:37 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users