PDA

View Full Version : Referred here from malware forum


Leaddog
2011-05-18, 22:29
Hi,
Ken545 recommended I post over here to get a recommendation due to better familiarity with Spybot. The thread is at http://forums.spybot.info/showthread.php?t=62518

I have a computer that SS&D has detections that the malware forum could not get rid of. The short log from Spybot is:
--- Search result list ---
Win32.Small.ddx: Bookmark (Firefox: Rex (default)) (Bookmark, nothing done)


Virtumonde: Bookmark (Firefox: Rex (default)) (Bookmark, nothing done)


Win32.Small.ddx: Bookmark (Firefox: Rex (default)) (Bookmark, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

If I tell Spybot to fix it then you get green checks but it does not go away.

Maybe a clue:These are NOT detected if the browser (Firefox) is open and are ONLY detected if the browser is closed.

Ken can't find any residual problem and I can't either. I probably should have mentioned that I have both a desktop AND a laptop that get the same detections.

So is this a false positive or something we just can't find?

Thanks,
Rex
Zenobia
2011-05-19, 05:37
Those are in your Firefox bookmarks.They could be deleted manually from your Firefox browser,if need be. :)
If I'm remembering this right,a fuller Spybot logfile might show more info,which might make it easier finding the bookmarks,and possibly show if they could be a false positive.

Could you open Spybot ,then click Mode -> Advanced mode -> Tools > View Reports -> View Previous reports. Look for a Fixes.yymmdd-hhmm file where the bookmarks in question were fixed,and then copy and paste the logfile here?
Leaddog
2011-05-19, 15:37
Hi Zenobia,

Thanks very much for the reply.

There are some other items in this log as well but this is normal. Advertising cookies get installed just about everywhere you go in the browser.

-----Fixes.110519-0620.txt---------
--- Report generated: 2011-05-19 06:20 ---

Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

DoubleClick: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

Statcounter: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

Win32.Small.ddx: Bookmark (Firefox: Rex (default)) (Bookmark, fixed)

Virtumonde: Bookmark (Firefox: Rex (default)) (Bookmark, fixed)

Win32.Small.ddx: Bookmark (Firefox: Rex (default)) (Bookmark, fixed)


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-05-03 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-05-17 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-05-17 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-05-10 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-05-17 Includes\Trojans.sbi (*)
2011-05-11 Includes\TrojansC-02.sbi (*)
2011-05-11 Includes\TrojansC-03.sbi (*)
2011-05-11 Includes\TrojansC-04.sbi (*)
2011-05-11 Includes\TrojansC-05.sbi (*)
2011-05-17 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

---------------

I am afraid it doesn't really show anything. I also opened up firefox "organize bookmarks" and searched for the win32 and virtumonde bookmarks. Neither are shown in the list of bookmarks.

Previously with Ken we looked for the occurance of Win32.Small.ddx on my machine in the registry or anywhere for that matter and did not find any occurrence of it.

I wonder why it shows Win32.Small.ddx twice?

Rex
Zenobia
2011-05-19, 23:06
:oops: Guess it doesn't show the links.
I'll go see if I can get Spybot to detect a bookmark,so I can see if it shows the links at the end of the scan,if you click the plus sign.
Zenobia
2011-05-19, 23:44
Okay,yes,it should show them.
Could you scan with Spybot,and after the two Win32.Small.ddx and the Virtumonde bookmark are detected,could you please click the plus sign next to them,and it should show you the bookmark,and also the link for it.

Could you copy those down somewhere and then post the bookmark titles and the links here,but change the http part of the link to hxxp,to make the links unclickable?
That will help to show whether it really is a bad bookmark or whether it might be a false positive. :)
Leaddog
2011-05-20, 00:20
Hi Zenobia,

Well.... I took your first post and ran with it before you came back with the second one. :oops:

Yes I figured out what you meant, clicked the plus and saw the address. Then I searched for it in the bookmarks and then DELETED them.:oops:

They did not come back after re-running the test. This was the first time that happened. So that is fantastic.

Now the good news is I already had a screenshot of the "offending bookmarks" from a previous time. (I am learning more and more about how to use Spybot S&D.)

Anyway ....
Virtumonde was hxxp://www.abcsearch.com
Win32.Small.ddx bookmarks were
hxxps://home.searchfeed.com/rd/inside2.jsp?jsp=Login.jsp (don't know what this is)
hxxp:xxx.enhance.com (This is an advertising network I advertise on.)

It would be nice to know if they are really bad or not so please let me know.
And thanks to you I know how to get rid of them regardless.

Rex
Zenobia
2011-05-20, 03:42
Yes I figured out what you meant, clicked the plus and saw the address. Then I searched for it in the bookmarks and then DELETED them.

That's okay,if they were needed bookmarks,it'd be easy enough to bookmark again,so no worries. :)

I see hxxp://www.abcsearch.com and hxxp:xxx.enhance.com both listed in the Spybot hosts file as unwanted sites,and as an extra check,I looked in the MVPS hosts file(Updated May 9th,2011),which is a well-known and trustworthy hosts file,and both sites are listed there,as well.

There is a hxxp://www.searchfeed.com listed in Spybot's hosts file,and the MVPS hosts file as well,which is similar to hxxps://home.searchfeed.com/rd/inside2.jsp?jsp=Login.jsp,so I'd assume that may be an unwanted site as well.hth. :)
Leaddog
2011-05-22, 22:32
Well I would just like to say thanks to you and Ken545 that helped me through this.

I appreciate the both of you and am off to donate to the forum now.:thanks:

Thanks,
Rex
Zenobia
2011-05-23, 01:34
You're welcome. :)