Jump to content

speedapps.com / bestfreedailyporn.com infection


Recommended Posts

I got hit with speedapps.com spyware while installing another program. It installed several toolbars and hijacked my google search. I was able to remove the toolbars by going through uninstall process. MBAM seemed to remove the search hijack but now it's back. After restarting my computer and running a full scan my system is still infected with the popups, banner inserting adware and search hijack.. The following are my logs. please let me know if I'm missing anything or if you need more information. Thanks in advance for your help.

Hijack This

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:23:30 PM, on 11/26/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Windows\system32\taskeng.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\ASUS\AASP\1.00.52\aaCenter.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HotSwap\HotSwap!.EXE

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\AIM6\aim6.exe

C:\Users\Michael\AppData\Local\TempImages\IEPR.exe

C:\Users\Michael\AppData\Local\TempImages\iOmem.exe

C:\Program Files\Dorgem\Dorgem.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\windows\system32\taskmgr.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Users\Michael\AppData\Roaming\mjusbsp\magicJack.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\devenv.exe

C:\Program Files\iTunes\iTunes.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

I think I may have solved this issue. I looked into IEPR.exe in the tempimages folder. When I did a search it came up as an IE password recovery tool. It was strange that it was running (from a folder named tempxxxx) so I went into the folder and found some of its friends:

C:\Users\Michael\AppData\Local\TempImages\askSBarSetup-4.1.0.5.exe

C:\Users\Michael\AppData\Local\TempImages\AxInterop.SHDocVw.dll

C:\Users\Michael\AppData\Local\TempImages\IEPR.exe

C:\Users\Michael\AppData\Local\TempImages\Interop.SHDocVw.dll

C:\Users\Michael\AppData\Local\TempImages\ioC.ini

C:\Users\Michael\AppData\Local\TempImages\iOmem.exe

C:\Users\Michael\AppData\Local\TempImages\register.exe

C:\Users\Michael\AppData\Local\TempImages\register_y.exe

C:\Users\Michael\AppData\Local\TempImages\si1setup-152-SI1PRT1.exe

C:\Users\Michael\AppData\Local\TempImages\speedapps.zip

C:\Users\Michael\AppData\Local\TempImages\ydetect.exe

C:\Users\Michael\AppData\Local\TempImages\ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe

I'm already familiar with speedapps from the html injections, there is the "ask" toolbar install file and some other gems from the initial program I installed. I killed the IEPR.exe and iOmem.exe processes, removed them from the startup folder in the registry and restarted my computer.

Haven't noticed any of the issues I did before. Can this solution be confirmed and made sure there aren't any crumbs left over?

I saved the files if you need it to update the software detection definitions.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.