Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

caught wit my pants down... now i'm gett'n Google redirects, etc.


  • This topic is locked This topic is locked
18 replies to this topic

#1 AltElvis

AltElvis

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:07:10 AM

Posted 23 May 2012 - 02:34 PM

Hi All,

looks like i took to long updating my anti virus ... now i'm getting Google redirects trying to get to any AV download page... also, get a credit card request pop up window, every time i log onto FaceBook... not to mention my desktop keeps getting rearranged... ran MalwareBytes, logs show Trojan.Dropper.PE4, Trojan.Agent.SZ, Rootkit.0Access, Trojan.Agent.SZ, Trojan.Dropper.PE4 were detected & deleted ... ran SuperAntiSpyware, logs show 12 threats detected & deleted ... still gett'n the google redirects & credit card request pop up on FB... now quite concerned about online Banking, etc...


here's the DDS log;

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_29
Run by Cortez at 11:19:38 on 2012-05-23
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.swimboat.com/
mStart Page = hxxp://lenovo.live.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: CA Anti-Phishing Toolbar Helper: {45011cf5-e4a9-4f13-9093-f30a784eb9b2} - f:\programs\ez trust\ca anti-phishing\toolbar\caIEToolbar.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: CA Anti-Phishing Toolbar: {0123b506-0ad9-43aa-b0cf-916c122ad4c5} - f:\programs\ez trust\ca anti-phishing\toolbar\caIEToolbar.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adybwypo] "c:\documents and settings\cortez\application data\ilsin\uhus.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\programs\msoffi~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8B788A26-A798-469B-AD44-9415EA8201D3} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - f:\programs\superantispyware\SASWINLO.DLL
Notify: ACNotify - ACNotify.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - f:\programs\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\programs\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cortez\application data\mozilla\firefox\profiles\6ej23h4x.default\
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - plugin: c:\documents and settings\cortez\application data\mozilla\firefox\profiles\6ej23h4x.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: f:\programs\itunes\mozilla plugins\npitunes.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-05-22 21:54:34 -------- d-----w- c:\program files\common files\SQLDMO
2012-05-22 21:54:31 -------- d-----w- c:\documents and settings\cortez\local settings\application data\{ADC46885-A458-11E1-8270-B8AC6F996F26}
2012-05-22 21:53:59 -------- d-----w- c:\documents and settings\cortez\local settings\application data\Identities
2012-05-22 21:53:28 -------- d-----w- c:\documents and settings\cortez\application data\Nebol
2012-05-22 21:53:28 -------- d-----w- c:\documents and settings\cortez\application data\Ilsin
2012-05-22 21:53:28 -------- d-----w- c:\documents and settings\cortez\application data\Edfayz
.
==================== Find3M ====================
.
2012-04-29 21:51:26 48 ----a-w- c:\windows\wpd99.drv
2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 11:20:53.10 ===============


__________________________________________________

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:10 PM

Posted 23 May 2012 - 03:01 PM

Good evening. :)

looks like i took to long updating my anti virus

Which anti-virus were you using and how long did you take to update it? Also, the logs that you have posted appear to have been edited as certain information about the operating system and disk partitions is missing - have you done this yourself?

So long, and thanks for all the fish.

 

 


#3 AltElvis

AltElvis
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:07:10 AM

Posted 23 May 2012 - 03:35 PM

Hi Novicate... thanx for your response.


Good evening. :)

Which anti-virus were you using and how long did you take to update it? Also, the logs that you have posted appear to have been edited as certain information about the operating system and disk partitions is missing - have you done this yourself?



Avira... bout 8mos ago took it off the machine(was having conflicts w/ SuperAntiSpyware & Malwarebytes) to upload a current version, was jus scanning w/ SA & MB for the time being ... no editing of the logs, those are what were saved from DDS & GMER.


TanxAgain

AltElvis

#4 AltElvis

AltElvis
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:07:10 AM

Posted 23 May 2012 - 04:19 PM

Something else i'm noticing on boot up, keep getting 2 crash report windows; 1st - "Rescue and Recovery Backup Service has encountered a problem and needs to close. We are sorry for the inconvenience." ... 2nd - "netwk.exe has encountered a problem and needs to close. We are sorry for the inconvenience."

also, on the "StartUp" on the msconfig, keep finding "uhus C:\Documents and Settings\Cortez\Application Data\Ilsn\uhus.exe" checked even after unchecking and applying ... seems something keeps putting it in the StartUp group.

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:10 PM

Posted 24 May 2012 - 03:09 PM

Good evening. :)

Given the length of time that the PC has been without a resident anti-virus program I suggest that you back up any important data and then reinstall your operating system. The possibility that legitimate files may have been infected or corrupted by the malware present on your PC, and also that security settings may have been lowered making your computer more liable to infection in the future, means that starting over is the easiest and most reliable solution to your problems.
You also need to be aware of the risk of identity theft if you have accessed bank accounts with this computer or shopped online. Keylogging software could have recorded details of these actions and a lack of an effective firewall means that there is nothing to stop this information being sent home. If this does apply to you, i'd monitor your accounts and perhaps consider getting credit/debit cards, passwords etc... changed - obviously not using this PC!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There are other free anti-virus programs available if you aren't happy with Antivir, so pick one, and only one as conflictions can arise from multiple AVs, that takes your fancy:

AVG Free Edition: Available here.
avast! 4 Home Edition: Available here
Microsoft Security Essentials: Available here

I suggest that you download the installation file and save it somewhere before you reinstall - you don't want to be going online without an AV up and running.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am unsure from your log whether or not you have a software firewall installed. If you have, and i've missed it, please ignore this.
If you haven't, or are using the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
There are a few free firewalls available, of which the following are a couple:

Comodo Firewall Pro, available here.
Zone Alarm, available here.


While you can download them all to see which one you prefer, only install one at a time - running two or more firewalls simultaneously can cause conflicts resulting in less, not more, protection.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You should also ensure that your version of Internet Explorer is up-to-date in future. Yours is some years old and poses a security risk due to the various holes that will have been identified by malware writers.

So long, and thanks for all the fish.

 

 


#6 AltElvis

AltElvis
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:07:10 AM

Posted 24 May 2012 - 03:35 PM

oh boy... reinstall is not someting i'm looking forward to ... can say that this box has been pretty clean using SuperAntiSpyware & MalwareBytes ... this current virus hit aprox 3p 5-22-12, one of those Antivirus ad attacks ... haven't used this puter for any important online activity since ...

_______________________________________________________
as far as AntiVirus programs... Avira worked fine but the current free version requires XP sp2 64bit, haven't looked into what's gotta be done get this box there.

_______________________________________________________
firewall seems to have some issues since this infection ... it won't let me access to make sure it's on ... ZoneAlarm seems to be pretty good from what i've read... will check that out further.

_______________________________________________________
I never use InternetExplorer... would this box still be vulnerable to attack without using that browser?


thank you for the info

AltElvis

Edited by AltElvis, 24 May 2012 - 03:36 PM.


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:10 PM

Posted 24 May 2012 - 03:52 PM

I assume that your system runs XP - what Service Pack does it have?

So long, and thanks for all the fish.

 

 


#8 AltElvis

AltElvis
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:07:10 AM

Posted 24 May 2012 - 04:45 PM

XPpro w/ sp2

#9 AltElvis

AltElvis
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:07:10 AM

Posted 25 May 2012 - 11:52 AM

UPDATE;

erased uhus.exe ... now Ccard request pop up & google redirects no more... still gett'n the 2 crash report windows on BootUp, n Desktop Icons keep re-arranging(jus when i figgered how i want em grouped)... seems like sumthin's still bugg'n my box.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:10 PM

Posted 25 May 2012 - 02:34 PM

Good evening. :)

Your operating system is just over four years out of date - that is how long ago Service Pack 3 was released for XP. If this was my PC, or somebody I knew brought it to me, i'd back-up and reinstall in a flash and that's the only decent advice I can offer you.

You can fiddle with it and you might get some results, but you'd never be certain that it was clean and that's the only thing you should be settling for.

So long, and thanks for all the fish.

 

 


#11 AltElvis

AltElvis
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:07:10 AM

Posted 25 May 2012 - 03:10 PM

so are you saying you can't help with my computer? ... am actually ok with XPpro sp2... it's been working fine until this attack on last Tues... jus need to get some help scanning & cleaning up this box ... if you can't help, is there someone that can?


Thank you for reviewing this

AltElvis

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:10 PM

Posted 25 May 2012 - 03:27 PM

Your system has two problems:

1) The OS is seriously out of date. This makes it a slime magnet due to the various holes that can and will be exploited by malware writers that haven't been patched by SP3. It doesn't affect the way that the PC works, but it does make it more easily infectable - assuming that such a word existed.
2) The lack of effective security makes it difficult, if not impossible, to guarantee that the PC will end up clean at the end of the process.

My advice to you is to wipe the PC and reinstall the OS and this is the best help I can offer - even if you don't consider it helpful.


If you don't wish to take my advice, which is fine as this is a voluntary website from both our points of view, you will need to start a fresh thread and post a fresh set of logs, newly created. I would advise you to include the anti-virus situation in your first post and also the fact that your OS is only updated to Service Pack 2 so that whoever takes the problem on has the full facts at their disposal.

So long, and thanks for all the fish.

 

 


#13 AltElvis

AltElvis
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:07:10 AM

Posted 25 May 2012 - 03:33 PM

ok then...

what is your best recommendation for an install source for XPPro?


Thank You

AltElvis

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:10 PM

Posted 25 May 2012 - 03:56 PM

Some computers come with a recovery partition that contains the data necessary to reinstall the operating system. If your system doesn't have one, you'll need to use a disk that may or may not have come with your system.

So long, and thanks for all the fish.

 

 


#15 AltElvis

AltElvis
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:07:10 AM

Posted 25 May 2012 - 06:07 PM

don't think i have either of those... how can the recovery partition be verified on a machine?


Thanx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users