Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Our Main Desktop Is Infected


  • Please log in to reply
20 replies to this topic

#1 wizardking

wizardking

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 30 December 2007 - 10:03 PM

This desktop is basically the mainframe for our wireless Internet for all the laptops or something, so I really need to find a way to fix this.

The wallpaper on the desktop now says: "warning! Spyware threat has been detected on your PC. Your computer has several fatal errors due to spyware activity.........."

Also, pop-ups and warnings keep popping up and the computer is being slower than normal.

BC AdBot (Login to Remove)

 


m

#2 wizardking

wizardking
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 30 December 2007 - 10:16 PM

And here is the log from a scan I did with SUPER AntiSpyware:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/30/2007 at 09:19 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:16:54

Memory items scanned : 171
Memory threats detected : 2
Registry items scanned : 4522
Registry threats detected : 88
File items scanned : 41719
File threats detected : 95

Trojan.WinFixer
E:\WINDOWS\SYSTEM32\SSTQO.DLL
E:\WINDOWS\SYSTEM32\SSTQO.DLL
HKLM\Software\Classes\CLSID\{D3E95353-86FD-4938-AEC3-7E665D6950A2}
HKCR\CLSID\{D3E95353-86FD-4938-AEC3-7E665D6950A2}
HKCR\CLSID\{D3E95353-86FD-4938-AEC3-7E665D6950A2}\InprocServer32
HKCR\CLSID\{D3E95353-86FD-4938-AEC3-7E665D6950A2}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3E95353-86FD-4938-AEC3-7E665D6950A2}

Unclassified.Unknown Origin
E:\WINDOWS\SYSTEM32\DCVWAAH.DLL
E:\WINDOWS\SYSTEM32\DCVWAAH.DLL
HKLM\Software\Classes\CLSID\{40dcff6e-af8d-4183-8ebe-a82270ac449e}
HKCR\CLSID\{40DCFF6E-AF8D-4183-8EBE-A82270AC449E}
HKCR\CLSID\{40DCFF6E-AF8D-4183-8EBE-A82270AC449E}\InProcServer32
HKCR\CLSID\{40DCFF6E-AF8D-4183-8EBE-A82270AC449E}\InProcServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{40dcff6e-af8d-4183-8ebe-a82270ac449e}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#gimmicks
HKCR\CLSID\{40DCFF6E-AF8D-4183-8EBE-A82270AC449E}

Trojan.Media-Codec
HKLM\Software\Classes\CLSID\{192c5b4a-3efd-40c7-9f99-c472deb8efc0}
HKCR\CLSID\{192C5B4A-3EFD-40C7-9F99-C472DEB8EFC0}
HKCR\CLSID\{192C5B4A-3EFD-40C7-9F99-C472DEB8EFC0}
HKCR\CLSID\{192C5B4A-3EFD-40C7-9F99-C472DEB8EFC0}\InprocServer32
HKCR\CLSID\{192C5B4A-3EFD-40C7-9F99-C472DEB8EFC0}\InprocServer32#ThreadingModel
E:\PROGRAM FILES\PORNPASS MANAGER\ISADDON.DLL
HKLM\Software\Classes\CLSID\{74a49269-9779-48b4-a0e6-3a5af2a3ade6}
HKCR\CLSID\{74A49269-9779-48B4-A0E6-3A5AF2A3ADE6}
HKCR\CLSID\{74A49269-9779-48B4-A0E6-3A5AF2A3ADE6}
HKCR\CLSID\{74A49269-9779-48B4-A0E6-3A5AF2A3ADE6}\Implemented Categories
HKCR\CLSID\{74A49269-9779-48B4-A0E6-3A5AF2A3ADE6}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{74A49269-9779-48B4-A0E6-3A5AF2A3ADE6}\InprocServer32
HKCR\CLSID\{74A49269-9779-48B4-A0E6-3A5AF2A3ADE6}\InprocServer32#ThreadingModel
E:\PROGRAM FILES\PORNPASS MANAGER\IESPLUGIN.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{192c5b4a-3efd-40c7-9f99-c472deb8efc0}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{74a49269-9779-48b4-a0e6-3a5af2a3ade6}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#isamonitor.exe [ E:\Program Files\PornPass Manager\isamonitor.exe ]

Adware.AdBreak
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}

411Ferret Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12F02779-6D88-4958-8AD3-83C12D86ADC7}

Adware.AdBlaster
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}

Trojan.Downloader-FakeRX
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{477840F3-BA52-44D9-8E41-38D61CAA010F}
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}\Implemented Categories
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}\InprocServer32
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}\InprocServer32#ThreadingModel
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}\ProgID
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}\Programmable
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}\TypeLib
HKCR\CLSID\{477840F3-BA52-44D9-8E41-38D61CAA010F}\VERSION
E:\WINDOWS\SYSTEM32\EGMULHXK.DLL

AdBars BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}

Adware.404Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}

Adware.Accoona
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}

Trojan.PBar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}

Trojan.Security Toolbar
E:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
E:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Malware.VirusBurst
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\Control
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\ejbgDpoemZf
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\fJjllZmxttn
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\Implemented Categories
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\InprocHandler32
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\jlsEhyvofdtua
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\LocalServer32
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\LocalServer32#LocalServer32
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\MiscStatus
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\MiscStatus\1
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\osbzh
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\PhLamvcWjzbj
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\pramu
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\ProgID
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\ToolboxBitmap32
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\Typelib
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\Verb
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\Verb\0
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\Version
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\vrcnjbPfmruu
HKCR\CLSID\{6A66CC28-F0A2-FCBC-D3D5-1EA3001ED26A}\whEkglqhbUrpo
E:\Program Files\Virus-Bursters\Virus-Bursters.exe
E:\Program Files\Virus-Bursters\virusburster.ini
E:\Program Files\Virus-Bursters

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
E:\Program Files\Outerinfo\FF\chrome.manifest
E:\Program Files\Outerinfo\FF\components\FF.dll
E:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt
E:\Program Files\Outerinfo\FF\components
E:\Program Files\Outerinfo\FF\install.rdf
E:\Program Files\Outerinfo\FF
E:\Program Files\Outerinfo\Terms.rtf
E:\Program Files\Outerinfo

Adware.Tracking Cookie
C:\Documents and Settings\Kevin\Cookies\kevin@2o7[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@advertising[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@atwola[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@doubleclick[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@2o7[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@ad.yieldmanager[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@ads.pointroll[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@advertising[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@as.casalemedia[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@atdmt[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@atwola[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@belnk[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@casalemedia[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@counter9.sextracker[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@cs.sexcounter[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@cz11.clickzs[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@dhdmedia[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@dist.belnk[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@doubleclick[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@edge.ru4[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@fastclick[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@network.realmedia[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@realmedia[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@revex.dhdmedia[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@sextracker[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@tacoda[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@tradedoubler[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@trafficmp[2].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@tribalfusion[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@www.sextasya[1].txt
C:\Documents and Settings\Kevin\Local Settings\Temp\Cookies\kevin@z1.adserver[1].txt
C:\Documents and Settings\Laura\Cookies\laura@2o7[1].txt
C:\Documents and Settings\Laura\Cookies\laura@adcentriconline[2].txt
C:\Documents and Settings\Laura\Cookies\laura@ads.addynamix[1].txt
C:\Documents and Settings\Laura\Cookies\laura@ads.pointroll[2].txt
C:\Documents and Settings\Laura\Cookies\laura@advertising[1].txt
C:\Documents and Settings\Laura\Cookies\laura@atdmt[1].txt
C:\Documents and Settings\Laura\Cookies\laura@atwola[2].txt
C:\Documents and Settings\Laura\Cookies\laura@banner[1].txt
C:\Documents and Settings\Laura\Cookies\laura@casalemedia[2].txt
C:\Documents and Settings\Laura\Cookies\laura@creativeby.viewpoint[1].txt
C:\Documents and Settings\Laura\Cookies\laura@doubleclick[1].txt
C:\Documents and Settings\Laura\Cookies\laura@edge.ru4[2].txt
C:\Documents and Settings\Laura\Cookies\laura@fastclick[2].txt
C:\Documents and Settings\Laura\Cookies\laura@mediaplex[1].txt
C:\Documents and Settings\Laura\Cookies\laura@mywebsearch[1].txt
C:\Documents and Settings\Laura\Cookies\laura@questionmarket[1].txt
C:\Documents and Settings\Laura\Cookies\laura@servedby.advertising[2].txt
C:\Documents and Settings\Laura\Cookies\laura@valueclick[1].txt
C:\Documents and Settings\Laura\Local Settings\Temp\Cookies\laura@atdmt[1].txt
C:\Documents and Settings\Olivia\Cookies\olivia@2o7[2].txt
C:\Documents and Settings\Olivia\Cookies\olivia@data4.perf.overture[1].txt
C:\Documents and Settings\Olivia\Cookies\olivia@doubleclick[1].txt
C:\Documents and Settings\Olivia\Cookies\olivia@mywebsearch[2].txt
C:\Documents and Settings\Olivia\Cookies\olivia@perf.overture[1].txt
C:\Documents and Settings\Susan\Cookies\susan@2o7[1].txt
C:\Documents and Settings\Susan\Cookies\susan@ads.pointroll[2].txt
C:\Documents and Settings\Susan\Cookies\susan@ads1.rodale[1].txt
C:\Documents and Settings\Susan\Cookies\susan@atwola[1].txt
C:\Documents and Settings\Susan\Cookies\susan@bizrate[2].txt
C:\Documents and Settings\Susan\Cookies\susan@clickability[1].txt
C:\Documents and Settings\Susan\Cookies\susan@creativeby.viewpoint[1].txt
C:\Documents and Settings\Susan\Cookies\susan@doubleclick[1].txt
C:\Documents and Settings\Susan\Cookies\susan@msnportal.112.2o7[1].txt
C:\Documents and Settings\Susan\Cookies\susan@mywebsearch[1].txt
C:\Documents and Settings\Susan\Cookies\susan@serving-sys[1].txt
C:\Documents and Settings\Susan\Cookies\susan@www.burstbeacon[1].txt
C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@ads1.rodale[2].txt
C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@ar.atwola[2].txt
C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@atdmt[2].txt
C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@atwola[1].txt
C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@doubleclick[1].txt
C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@mywebsearch[2].txt
C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@questionmarket[1].txt
C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@ww3.shoshkeles[1].txt
C:\Documents and Settings\Susan\Local Settings\Temp\Cookies\susan@zedo[1].txt

Adware.PointsManager-Uninstaller
C:\DOCUMENTS AND SETTINGS\LAURA\LOCAL SETTINGS\TEMP\__UNIN__.EXE

#3 Crizz44

Crizz44

  • Members
  • 496 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virginia
  • Local time:08:32 PM

Posted 30 December 2007 - 10:48 PM

You may need to do more repairs, but try Smitfraud first. It has helped me in many cases.
Here is a link to one fix that is showing up in your scan Virusburst.

Just use the directions for Smitfraud and see what results you get.

http://www.bleepingcomputer.com/forums/t/70074/how-to-remove-virusburster-or-virusbursters-removal-instructions/


Look for the : Automated Removal Instructions for VirusBursters and VirusBurst: it should be done in Safe Mode

Edited by Crizz44, 30 December 2007 - 10:49 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 PM

Posted 30 December 2007 - 11:56 PM

After using smitfraudfix, please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 wizardking

wizardking
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 31 December 2007 - 01:29 PM

Thanks for the replies. I did the smitfraudfix and the VundoFix.

Here is the log from VundoFix:



VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 12:52:07 PM 12/31/2007

Listing files found while scanning....

E:\WINDOWS\system32\NeroCheck.exe
E:\WINDOWS\system32\oqtss.ini
E:\WINDOWS\system32\oqtss.ini2
E:\WINDOWS\system32\sstqo.dll
E:\WINDOWS\system32\sstqo.exe
E:\WINDOWS\system32\xxyxwxy.dll

Beginning removal...

Attempting to delete E:\WINDOWS\system32\NeroCheck.exe
E:\WINDOWS\system32\NeroCheck.exe Has been deleted!

Attempting to delete E:\WINDOWS\system32\oqtss.ini
E:\WINDOWS\system32\oqtss.ini Has been deleted!

Attempting to delete E:\WINDOWS\system32\oqtss.ini2
E:\WINDOWS\system32\oqtss.ini2 Has been deleted!

Attempting to delete E:\WINDOWS\system32\sstqo.dll
E:\WINDOWS\system32\sstqo.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\sstqo.exe
E:\WINDOWS\system32\sstqo.exe Has been deleted!

Attempting to delete E:\WINDOWS\system32\xxyxwxy.dll
E:\WINDOWS\system32\xxyxwxy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete E:\WINDOWS\system32\xxyxwxy.dll
E:\WINDOWS\system32\xxyxwxy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

#6 wizardking

wizardking
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 31 December 2007 - 01:37 PM

And here is the one from SmitFraudFix:

SmitFraudFix v2.274

Scan done at 12:36:36.51, Mon 12/31/2007
Run from E:\Documents and Settings\Susan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

Problem while deleting E:\WINDOWS\system32\ace16win.dll
E:\WINDOWS\system32\msole32.exe Deleted

IEDFix

IEDFix.exe by S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{27EE76B3-4EFC-43E8-AD2E-56BC02822FA7}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27EE76B3-4EFC-43E8-AD2E-56BC02822FA7}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\..\{27EE76B3-4EFC-43E8-AD2E-56BC02822FA7}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 PM

Posted 31 December 2007 - 01:53 PM

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
When done, please advise if your having any more malware issues.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 wizardking

wizardking
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 31 December 2007 - 02:52 PM

Okay, I deleted all the old vesions of Java and installed that new version.

The wallpaper on the desktop is still saying "warning! spyware threat has been detected on your PC" even after I've changed the wallpaper to something else several times. Some sketchy and fake looking little warnings keep popping up in the lower right corner warning me that my security and privacy are at risk and telling me to click there to run a full system scan to protect my data."

Also, the Windows Security Center keeps popping up saying "possible spyware infection detected."

I'm getting a pop-up in Internet Explorer still taking me to the site pcsecuritylab.

Here are just screencaps of the problems and warnings that keep popping up:

The wallpaper that won't go away and one of the pop-up warnings from the lower right hand corner:
Posted Image

And the Windows Security Center warning that keeps popping up:
Posted Image

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 PM

Posted 31 December 2007 - 05:19 PM

Looks like your re-infected.

Please print out and follow the generic instructions for using "SmitfraudFix".
(If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!)
  • Save the tool to your desktop.
  • Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.
  • When done, a text file named rapport.txt will appear onscreen with results from the cleaning process.
  • The file is automatically saved to the root of the system drive, usually at C:\rapport.txt.
  • Please copy/paste the contents of that report into your next reply.
-- If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (usually C:\), and run it from there.

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck everything and look for any of the following:
  • Security Info
  • Warning Message
  • Security Desktop
  • Warning Homepage
  • Desktop Uninstall
If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

Please download SDFix by AndyManchesta and save it to your desktop.
alternate download
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save a copy into the SDFix folder as Report.txt.
  • Copy and paste the contents of Report.txt in your next reply.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Crizz44

Crizz44

  • Members
  • 496 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virginia
  • Local time:08:32 PM

Posted 31 December 2007 - 08:15 PM

You may want to try this too.

http://www.majorgeeks.com/RogueRemover_d5360.html

#11 wizardking

wizardking
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 01 January 2008 - 12:00 PM

Okay, I used SmitFraud again. Here's the text file:


SmitFraudFix v2.274

Scan done at 11:47:05.76, Tue 01/01/2008
Run from E:\Documents and Settings\Susan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

E:\WINDOWS\system32\ace16win.dll Deleted
E:\WINDOWS\system32\msole32.exe Deleted

IEDFix

IEDFix.exe by S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{27EE76B3-4EFC-43E8-AD2E-56BC02822FA7}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27EE76B3-4EFC-43E8-AD2E-56BC02822FA7}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\..\{27EE76B3-4EFC-43E8-AD2E-56BC02822FA7}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



Also, there was nothing under the web tab and "web pages" to be deleted and the "lock desktop items" box is unchecked.

Edited by wizardking, 01 January 2008 - 12:09 PM.


#12 wizardking

wizardking
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 01 January 2008 - 12:44 PM

Here here is the text log for SDfix:

SDFix: Version 1.121

Run by Susan on Tue 01/01/2008 at 12:22 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: E:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

E:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
E:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
E:\WINDOWS\hotporn.exe - Deleted
E:\WINDOWS\ie_32.exe - Deleted




Removing Temp Files...

ADS Check:

E:\WINDOWS
No streams found.

E:\WINDOWS\system32
No streams found.

E:\WINDOWS\system32\svchost.exe
No streams found.

E:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 12:32:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

E:\WINDOWS\hotporn.exe 22784 bytes
E:\WINDOWS\ie_32.exe 8960 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="E:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"E:\\Program Files\\AIM\\aim.exe"="E:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"E:\\Program Files\\Skype\\Phone\\Skype.exe"="E:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"E:\\Program Files\\LimeWire\\LimeWire.exe"="E:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"E:\\Program Files\\iTunes\\iTunes.exe"="E:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------
E:\WINDOWS\hotporn.exe Found
E:\WINDOWS\ie_32.exe Found

File Backups: - E:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 17 Sep 2006 4,348 ..SH. --- "E:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 9 Mar 2004 22,528 A..H. --- "E:\Documents and Settings\Laura\My Documents\~WRL1976.tmp"
Tue 9 Mar 2004 22,528 A..H. --- "E:\Documents and Settings\Laura\My Documents\~WRL2239.tmp"
Tue 9 Mar 2004 22,016 A..H. --- "E:\Documents and Settings\Laura\My Documents\~WRL2919.tmp"
Tue 9 Mar 2004 22,528 A..H. --- "E:\Documents and Settings\Laura\My Documents\~WRL3029.tmp"
Wed 3 Mar 2004 20,480 A..H. --- "E:\Documents and Settings\Laura\My Documents\~WRL3278.tmp"
Sun 23 Dec 2007 72,704 A.SHR --- "E:\Documents and Settings\Kevin Jr\Local Settings\Temp\TMP2A4.tmp"
Sat 22 Dec 2007 72,704 A.SHR --- "E:\Documents and Settings\Kevin Jr\Local Settings\Temp\TMP4DF.tmp"
Thu 1 Nov 2007 230,400 ..SHR --- "E:\Documents and Settings\Kevin Jr\My Documents\?ystem\s?chost.exe"
Fri 12 Nov 2004 37,376 ...H. --- "E:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!

#13 wizardking

wizardking
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:32 PM

Posted 01 January 2008 - 01:07 PM

Also, I used the RogueRemover, and it said that it did not detect anything.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 PM

Posted 01 January 2008 - 01:18 PM

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight any of the following programs (if listed) and select "Remove".

ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX By OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Sudoku by OIN
Yazzle Snowballwars by OIN
Yazzle Kobe Balls! by OIN
Zolero Translator
or anything similar with OIN, Outer Info Network or Yazzle in them.

Important! Reboot when done.

Open My Computer or Windows Explorer, navigate to C:\Program Files and delete any of the named program folders listed above that you find (if they still exist).

If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, then download and run the Purity Scan uninstaller.
  • Save the Uninstaller to your desktop.
  • Double click on the OiUninstaller.exe icon on your desktop.
  • Click on "Run".
  • Enter the four digit code that is displayed and click on "Uninstall".
  • Click on "Ok" and reboot your computer.
Click here for Instructions with screenshots if needed.

Note: OiUninstaller uses UPX (ultimate packer for executables), an advanced file compressor and a method for compressing executable files to reduce their size to save space on a disk and download time. Some anti-virus programs such as Avast and Kaspersky may detect it as malware when attempting to download or unpack the compressed file.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Launch SUPERAntiSpyware Free and configure as follows
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:32 PM

Posted 01 January 2008 - 01:47 PM

When done with the above, please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • In the lower search box titled "Paste List of Files/Patterns to Search for and Move", type: Purity
  • Click the red MoveIt! button.
  • OTMoveIt2 will search for all Purity folders in all possible locations and move what it finds.
  • The list will be processed and the results for will be displayed in the right-hand pane.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
  • Please copy/paste the contents of that log in your next reply.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process.
If asked to reboot, choose Yes.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users