Results 1 to 9 of 9

Thread: Referred here from malware forum

  1. #1
    Junior Member
    Join Date
    May 2011
    Posts
    17

    Question Referred here from malware forum

    Hi,
    Ken545 recommended I post over here to get a recommendation due to better familiarity with Spybot. The thread is at http://forums.spybot.info/showthread.php?t=62518

    I have a computer that SS&D has detections that the malware forum could not get rid of. The short log from Spybot is:
    --- Search result list ---
    Win32.Small.ddx: Bookmark (Firefox: Rex (default)) (Bookmark, nothing done)


    Virtumonde: Bookmark (Firefox: Rex (default)) (Bookmark, nothing done)


    Win32.Small.ddx: Bookmark (Firefox: Rex (default)) (Bookmark, nothing done)



    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    If I tell Spybot to fix it then you get green checks but it does not go away.

    Maybe a clue:These are NOT detected if the browser (Firefox) is open and are ONLY detected if the browser is closed.

    Ken can't find any residual problem and I can't either. I probably should have mentioned that I have both a desktop AND a laptop that get the same detections.

    So is this a false positive or something we just can't find?

    Thanks,
    Rex

  2. #2
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,178

    Default

    Those are in your Firefox bookmarks.They could be deleted manually from your Firefox browser,if need be.
    If I'm remembering this right,a fuller Spybot logfile might show more info,which might make it easier finding the bookmarks,and possibly show if they could be a false positive.

    Could you open Spybot ,then click Mode -> Advanced mode -> Tools > View Reports -> View Previous reports. Look for a Fixes.yymmdd-hhmm file where the bookmarks in question were fixed,and then copy and paste the logfile here?

  3. #3
    Junior Member
    Join Date
    May 2011
    Posts
    17

    Default

    Hi Zenobia,

    Thanks very much for the reply.

    There are some other items in this log as well but this is normal. Advertising cookies get installed just about everywhere you go in the browser.

    -----Fixes.110519-0620.txt---------
    --- Report generated: 2011-05-19 06:20 ---

    Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    DoubleClick: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    Zedo: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    CasaleMedia: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    MediaPlex: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    MediaPlex: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    MediaPlex: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    Statcounter: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    MediaPlex: Tracking cookie (Firefox: Rex (default)) (Cookie, fixed)

    Win32.Small.ddx: Bookmark (Firefox: Rex (default)) (Bookmark, fixed)

    Virtumonde: Bookmark (Firefox: Rex (default)) (Bookmark, fixed)

    Win32.Small.ddx: Bookmark (Firefox: Rex (default)) (Bookmark, fixed)


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2011-05-03 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-03-18 Includes\Adware.sbi (*)
    2011-05-17 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2011-03-29 Includes\Hijackers.sbi (*)
    2011-05-16 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-04-05 Includes\Malware.sbi (*)
    2011-05-17 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-03-15 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2011-02-24 Includes\Security.sbi (*)
    2011-05-03 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-05-10 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2011-05-17 Includes\Trojans.sbi (*)
    2011-05-11 Includes\TrojansC-02.sbi (*)
    2011-05-11 Includes\TrojansC-03.sbi (*)
    2011-05-11 Includes\TrojansC-04.sbi (*)
    2011-05-11 Includes\TrojansC-05.sbi (*)
    2011-05-17 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    ---------------

    I am afraid it doesn't really show anything. I also opened up firefox "organize bookmarks" and searched for the win32 and virtumonde bookmarks. Neither are shown in the list of bookmarks.

    Previously with Ken we looked for the occurance of Win32.Small.ddx on my machine in the registry or anywhere for that matter and did not find any occurrence of it.

    I wonder why it shows Win32.Small.ddx twice?

    Rex

  4. #4
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,178

    Default

    Guess it doesn't show the links.
    I'll go see if I can get Spybot to detect a bookmark,so I can see if it shows the links at the end of the scan,if you click the plus sign.

  5. #5
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,178

    Default

    Okay,yes,it should show them.
    Could you scan with Spybot,and after the two Win32.Small.ddx and the Virtumonde bookmark are detected,could you please click the plus sign next to them,and it should show you the bookmark,and also the link for it.

    Could you copy those down somewhere and then post the bookmark titles and the links here,but change the http part of the link to hxxp,to make the links unclickable?
    That will help to show whether it really is a bad bookmark or whether it might be a false positive.

  6. #6
    Junior Member
    Join Date
    May 2011
    Posts
    17

    Default

    Hi Zenobia,

    Well.... I took your first post and ran with it before you came back with the second one.

    Yes I figured out what you meant, clicked the plus and saw the address. Then I searched for it in the bookmarks and then DELETED them.

    They did not come back after re-running the test. This was the first time that happened. So that is fantastic.

    Now the good news is I already had a screenshot of the "offending bookmarks" from a previous time. (I am learning more and more about how to use Spybot S&D.)

    Anyway ....
    Virtumonde was hxxp://www.abcsearch.com
    Win32.Small.ddx bookmarks were
    hxxps://home.searchfeed.com/rd/inside2.jsp?jsp=Login.jsp (don't know what this is)
    hxxp:xxx.enhance.com (This is an advertising network I advertise on.)

    It would be nice to know if they are really bad or not so please let me know.
    And thanks to you I know how to get rid of them regardless.

    Rex

  7. #7
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,178

    Default

    Quote Originally Posted by Leaddog
    Yes I figured out what you meant, clicked the plus and saw the address. Then I searched for it in the bookmarks and then DELETED them.
    That's okay,if they were needed bookmarks,it'd be easy enough to bookmark again,so no worries.

    I see hxxp://www.abcsearch.com and hxxp:xxx.enhance.com both listed in the Spybot hosts file as unwanted sites,and as an extra check,I looked in the MVPS hosts file(Updated May 9th,2011),which is a well-known and trustworthy hosts file,and both sites are listed there,as well.

    There is a hxxp://www.searchfeed.com listed in Spybot's hosts file,and the MVPS hosts file as well,which is similar to hxxps://home.searchfeed.com/rd/inside2.jsp?jsp=Login.jsp,so I'd assume that may be an unwanted site as well.hth.

  8. #8
    Junior Member
    Join Date
    May 2011
    Posts
    17

    Default

    Well I would just like to say thanks to you and Ken545 that helped me through this.

    I appreciate the both of you and am off to donate to the forum now.

    Thanks,
    Rex

  9. #9
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,178

    Default

    You're welcome.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •