Residual spyware

[kevinH169]

Hello,

After a recent malware attack, which was mostly fixed by your initial cleaning guide, I've gotten some pop-ups periodically when on the internet.

Usually it starts within 5 mins of opening internet explorer. Even when I scan for spyware and delete everything, it just occurs again on start-up.

Thanks for any help.

p.s. DSS did not produce any extra.txt file even though I tried looking for it where it should've been... is that a problem?

[jholland1964]

This will be somewhat difficult since I have no idea what malware you had and what was removed, many require more than one step and I am also not certain of the exact steps you took. Did you save any of the logs produced by those steps?
There is definitely still some remaining on the system, that is for certain. It shows in the logs you have posted.
BUT first of all, you don't appear to have a resident anti-virus scanner, this is an ABSOLUTE MUST. Please install one of the free ones listed HERE
File sharing is a very "iffy" proposition at best and to do so without having a resident anti-virus program to scan shared files makes it doubly dangerous.
Update and do a full system scan with it. Tell it to fix or quarantine everything found.
I also do not see a firewall at all in the logs. At least enable the built in Windows firewall.
You said you followed the steps given in our initial cleaning guide...where is the ESET Scanner log?
Please also run it and save the log and post it here.

[kevinH169]

Thanks for the quick reply.

I have to leave very soon, so just to clear things up before I go:

Yes, actually I do have one of my old logs; I'm posting the very first Malwarebytes' Anti-Malware scan that I did. I believe it had something to do with "Antivirus XP 2008". It was rather nasty.

As... for the others I don't have their logs. MB-AM pretty much cleaned it all up, though.

I'll get an anti-virus program in the mean time; before I had SBC Yahoo!'s online protection program, but those application caused some problems so I ended up removing them. Since my brother never seemed to have any problems without it, I figured I was okay (I guess not).

My Windows' firewall was momentarily disabled so I could get DSS working; no worries, I have it on, now.

And... the ESET scanner log is the "log.txt", but now that I've opened it, it doesn't seem like it's really... helpful. Should I do another scan?

Thanks again, I'll get back to you as soon as I can.
Kevin

[jholland1964]

You do show PORTIONS of an old Norton program running on the computer but it looks as though some of it has been removed and therefore it wouldn't be doing it's job. It doesn't seem to be in the Uninstall list anywhere. Do you recall it being on the computer?
Do a file search for all files named Symantec and also Norton and see if you find any. If so, delete them all.


Couple of things you really need to do;
First of all, download Combofix
to the desktop.
Open Notepad and copy/paste the text in the below quote box into it:

KILLALL::

Folder::

C:\WINDOWS\system32\jbfsyl.dll
C:\WINDOWS\system32\hjdvbixv.dll
C:\WINDOWS\system32\fjjbnwxs.dll
C:\WINDOWS\system32\vapfeolp.dll
C:\WINDOWS\system32\fcccbxyV.dl
C:\WINDOWS\system32\fjjbnwxs.dll
C:\WINDOWS\system32\wvUkJdBr.dll
C:\WINDOWS\system32\fcccbxyV.dll
C:\WINDOWS\system32\uoyzsydz.exe
C:\WINDOWS\portsv.exe

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]LSA Shellu=C:\Documents and Settings\Ha\lsass.exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Next run HJT again and place a checkmark next to the following if they exist;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.254.1.7:8080

O1 - Hosts: 89.149.226.178 wiki.d-addicts.com

O2 - BHO: {7b1a4d4c-6784-958a-edc4-983bce2fde9c} - {c9edf2ec-b389-4cde-a859-4876c4d4a1b7} - C:\WINDOWS\system32\jbfsyl.dll

O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Ha\lsass.exe

Once you have placed the checkmarks then click the Fix Checked button.
Exit HJT.
Reboot the computer and run HJT again. Save the scan log and post back here with the Combofix log and the new HJT log.

[kevinH169]

The old anti-virus was Symantec, I believe, and it came with SBC! Yahoo Online Protection; I removed it a few days ago. Don't think there's any of it left.

Thanks for the help! I really appreciate it.

[jholland1964]

The old anti-virus was Symantec, I believe, and it came with SBC! Yahoo Online Protection; I removed it a few days ago. Don't think there's any of it left.

Thanks for the help! I really appreciate it.

There are STILL Symantec files on the computer, as shown by the logs listed in the following places;
Running processes:
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

StartUp Programs;
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

Services:
Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

I see that you installed AVG8 antivirus, that is good BUT you have to get those remaining pieces of Symantec OFF the system as it can interfere with the new AVG 8 and slow the system.
They appear to be located in C:\Program Files\Common Files\Symantec Shared\
I will read the rest of your logs and get back with you on those.
Judy