Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 SeaFyre

SeaFyre

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 21 February 2008 - 12:19 PM

I have tried everything suggested in your cleaning your computer topic. Spybot and Housecall both find and delete Outerinfo, but next thing I know it's back again. Please help me find a permanent solution to this annoying spyware. Following is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:25 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\RACLE~1\dvdplay.exe
C:\WINDOWS\system32\F?nts\l?ass.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\RACLE~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [Uedg] C:\WINDOWS\system32\F?nts\l?ass.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203609568265
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://merillat.view22.com/view22/roomapp/View22RTE.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://punch1.view22.com/release_3_10_43/View22RTEv4.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sigmatel Service (SigService) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe

--
End of file - 6871 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:41 AM

Posted 26 February 2008 - 06:15 PM

Hello SeaFyre,



We will run ComboFix.

You need to disable your Norton Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Norton Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.


You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SeaFyre

SeaFyre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 26 February 2008 - 08:49 PM

Hi SifuMike,

Thank you for helping me, I am at my wit's end with this. I ran Combofix, here is the log:



ComboFix 08-02-25.3 - Owner 2008-02-26 19:41:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.648 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\RG7H687R\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Owner\Application Data\YSTEM~1
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive11.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule13.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack13.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\wnsxs~1
C:\WINDOWS\racle~1
C:\WINDOWS\racle~1\?racle\
C:\WINDOWS\racle~1\dvdplay.exe
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~1\l?ass.exe
C:\WINDOWS\system32\wnsxs~1
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-26 19:23 . 2008-02-26 19:23 <DIR> d-------- C:\Program Files\RcvSystem
2008-02-24 20:23 . 2008-02-24 20:23 278,793 --a------ C:\WINDOWS\system32\L4351.tmp
2008-02-24 20:23 . 2008-02-24 20:23 181,965 --a------ C:\WINDOWS\system32\L2C2F.tmp
2008-02-24 20:23 . 2008-02-24 20:23 401 --a------ C:\WINDOWS\system32\L6521.tmp
2008-02-21 10:55 . 2008-02-21 10:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 10:49 . 2008-02-21 10:49 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-21 10:49 . 2008-02-21 10:49 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-02-21 10:48 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-02-21 10:32 . 2008-02-21 10:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-21 10:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-21 10:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-21 10:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-21 10:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-21 08:10 . 2008-02-21 08:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-20 22:27 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-20 22:26 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qkmwdsmrkrlg.sys
2008-02-20 22:11 . 2008-02-20 23:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-20 22:11 . 2008-02-20 22:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-20 22:11 . 2008-02-20 22:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-20 22:11 . 2008-02-20 22:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-20 18:29 . 2008-02-20 21:55 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-02-18 10:34 . 2008-02-18 10:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 10:34 . 2008-02-18 10:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 10:28 . 2008-02-18 10:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 18:59 . 2008-02-17 18:59 400 --a------ C:\WINDOWS\system32\LE69D.tmp
2008-02-17 18:58 . 2008-02-17 18:58 181,965 --a------ C:\WINDOWS\system32\LB982.tmp
2008-02-07 17:18 . 2008-02-07 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\View22

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 05:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-21 04:54 --------- d-----w C:\Program Files\D-Tools
2008-02-20 20:02 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-18 16:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-22 15:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\foobar2000
2008-01-18 23:25 --------- d-----w C:\Program Files\EFTP
2008-01-09 21:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-05-21 20:43 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-05-21 20:43 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Cpue"="C:\WINDOWS\RACLE~1\dvdplay.exe" [ ]
"Uedg"="C:\WINDOWS\system32\F?nts\l?ass.exe" [ ]
"QdrModule13"="C:\Program Files\QdrModule\QdrModule13.exe" [ ]
"QdrPack13"="C:\Program Files\QdrPack\QdrPack13.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-24 07:21 88363 C:\WINDOWS\AGRSMMSG.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 14:42 212992]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-09 16:09 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-09 16:09 491520]
"StacSysTray"="C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 13:16 102400]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 17:30 73728]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 22:10 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 00:21 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-24 21:05 155648]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 16:05 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-10 23:00:00 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-10 23:00:00 51984]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EFTP\\EFTP3Client.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R2 SigService;Sigmatel Service;C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [2004-04-29 13:15]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 19:43:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-02-26 19:44:12
ComboFix-quarantined-files.txt 2008-02-27 01:44:10

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:41 AM

Posted 26 February 2008 - 10:33 PM

Hi SeaFyre,

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\L4351.tmp

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\L2C2F.tmp
C:\WINDOWS\system32\L6521.tmp
C:\WINDOWS\system32\LE69D.tmp
C:\WINDOWS\system32\LB982.tmp



Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SeaFyre

SeaFyre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 26 February 2008 - 11:46 PM

Hi SifuMike,

My e-mail program blocked me from sending the files as attachments for some reason, so I just ran them through the uploader. Here are the results:


File L4351.tmp received on 02.27.2008 05:21:35 (CET)
Current status: finished

Result: 2/31 (6.45%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - Adware.SearchAid.origin
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - Adware:Win32/InternetSpeedMonitor
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: e0c2afde5b351a39b28133f4a057e5a3
SHA1: 6cca282054ee02abe4f755e9fc9592384baa0eac
SHA256: db4dee1fad2d77ea21b99a8b5efc22892000102fee119f15028dab2744e7a560
SHA512: 4638ddcf8242c10400a1a61b1229e438340dbbaf3eef4006d8dcd53d14629513 b349399a1e07d7f231cfc3f6fdfb14ac4a47d0fe96a0a51046a8b2a8c3a72640




File L2C2F.tmp received on 02.27.2008 05:23:28 (CET)
Current status: finished

Result: 16/32 (50.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - DR/Scapur.K.18
Authentium - - -
Avast - - -
AVG - - Downloader.Purityscan.Y
BitDefender - - Adware.Purityscan.JA
CAT-QuickHeal - - -
ClamAV - - Trojan.Scapur-22
DrWeb - - -
eSafe - - Win32.Scapur.k
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - W32/Scapur.K!tr
F-Prot - - -
F-Secure - - W32/PurityScan.BQW.dropper
Ikarus - - -
Kaspersky - - Trojan.Win32.Scapur.k
McAfee - - -
Microsoft - - -
NOD32v2 - - probably a variant of Win32/TrojanDownloader.PurityScan
Norman - - W32/PurityScan.BQW.dropper
Panda - - Adware/Yazzle
Prevx1 - - TROJAN.PURITYSCAN.H
Rising - - -
Sophos - - Yazzle Installer
Sunbelt - - -
Symantec - - Adware.Purityscan
TheHacker - - -
VBA32 - - Trojan.Win32.Scapur.k
VirusBuster - - -
Webwasher-Gateway - - Trojan.Dropper.Scapur.K.18
Additional information
MD5: ddad54de15551655dae0dff6275e8dd2
SHA1: 7945a90504fcbfd09eebef3dcad097c62dd784c2
SHA256: b27dc57bda468975b3edbd78a1a5fee80efb4483bcf32f2ba45c7a3fbeab942f
SHA512: 5044c136f65c019c3beaa2f83c771557a7dcb82140137071d50cda0ef73022a7 d9a6263c973244b5fff496467ed2187dd2a902d47980bd197221673022d0544b



File L6521.tmp received on 02.27.2008 05:24:48 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.27.0 2008.02.26 -
AntiVir 7.6.0.67 2008.02.26 -
Authentium 4.93.8 2008.02.27 -
Avast 4.7.1098.0 2008.02.26 -
AVG 7.5.0.516 2008.02.26 -
BitDefender 7.2 2008.02.27 -
CAT-QuickHeal 9.50 2008.02.26 -
ClamAV None 2008.02.27 -
DrWeb 4.44.0.09170 2008.02.26 -
eSafe 7.0.15.0 2008.02.26 -
eTrust-Vet 31.3.5566 2008.02.27 -
Ewido 4.0 2008.02.26 -
FileAdvisor 1 2008.02.27 -
Fortinet 3.14.0.0 2008.02.27 -
F-Prot 4.4.2.54 2008.02.26 -
F-Secure 6.70.13260.0 2008.02.27 -
Ikarus T3.1.1.20 2008.02.27 -
Kaspersky 7.0.0.125 2008.02.27 -
McAfee 5238 2008.02.26 -
Microsoft 1.3204 2008.02.26 -
NOD32v2 2904 2008.02.27 -
Norman 5.80.02 2008.02.26 -
Panda 9.0.0.4 2008.02.27 -
Prevx1 V2 2008.02.27 -
Rising 20.33.12.00 2008.02.26 -
Sophos 4.27.0 2008.02.27 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.27 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.26 -
VirusBuster 4.3.26:9 2008.02.26 -
Webwasher-Gateway 6.6.2 2008.02.27 -
Additional information
File size: 401 bytes
MD5: 3da212c0785808b3efcd0b1693096684
SHA1: 3c4b84d050637ec90f5e26e3e3cd70d5413ba2eb
PEiD: -



File LE69D.tmp received on 02.27.2008 05:30:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.27.0 2008.02.26 -
AntiVir 7.6.0.67 2008.02.26 -
Authentium 4.93.8 2008.02.27 -
Avast 4.7.1098.0 2008.02.26 -
AVG 7.5.0.516 2008.02.26 -
BitDefender 7.2 2008.02.27 -
CAT-QuickHeal 9.50 2008.02.26 -
ClamAV 0.92.1 2008.02.27 -
DrWeb 4.44.0.09170 2008.02.26 -
eSafe 7.0.15.0 2008.02.26 -
eTrust-Vet 31.3.5566 2008.02.27 -
Ewido 4.0 2008.02.26 -
FileAdvisor 1 2008.02.27 -
Fortinet 3.14.0.0 2008.02.27 -
F-Prot 4.4.2.54 2008.02.26 -
F-Secure 6.70.13260.0 2008.02.27 -
Ikarus T3.1.1.20 2008.02.27 -
Kaspersky 7.0.0.125 2008.02.27 -
McAfee 5238 2008.02.26 -
Microsoft 1.3204 2008.02.26 -
NOD32v2 2904 2008.02.27 -
Norman 5.80.02 2008.02.26 -
Panda 9.0.0.4 2008.02.27 -
Prevx1 V2 2008.02.27 -
Rising 20.33.20.00 2008.02.27 -
Sophos 4.27.0 2008.02.27 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.27 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.26 -
VirusBuster 4.3.26:9 2008.02.26 -
Webwasher-Gateway 6.6.2 2008.02.27 -
Additional information
File size: 400 bytes
MD5: 091e83a497c0eac263fcb00307c51d7d
SHA1: ab39c628afaeb7673026343ef0d28ea7d5140ffc
PEiD: -



File LB982.tmp received on 02.27.2008 05:37:05 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 16/32 (50%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.27.0 2008.02.26 -
AntiVir 7.6.0.67 2008.02.26 DR/Scapur.K.18
Authentium 4.93.8 2008.02.27 -
Avast 4.7.1098.0 2008.02.26 -
AVG 7.5.0.516 2008.02.26 Downloader.Purityscan.Y
BitDefender 7.2 2008.02.27 Adware.Purityscan.JA
CAT-QuickHeal 9.50 2008.02.26 -
ClamAV 0.92.1 2008.02.27 Trojan.Scapur-22
DrWeb 4.44.0.09170 2008.02.26 -
eSafe 7.0.15.0 2008.02.26 Win32.Scapur.k
eTrust-Vet 31.3.5566 2008.02.27 -
Ewido 4.0 2008.02.26 -
FileAdvisor 1 2008.02.27 -
Fortinet 3.14.0.0 2008.02.27 W32/Scapur.K!tr
F-Prot 4.4.2.54 2008.02.26 -
F-Secure 6.70.13260.0 2008.02.27 W32/PurityScan.BQW.dropper
Ikarus T3.1.1.20 2008.02.27 -
Kaspersky 7.0.0.125 2008.02.27 Trojan.Win32.Scapur.k
McAfee 5238 2008.02.26 -
Microsoft 1.3204 2008.02.26 -
NOD32v2 2904 2008.02.27 probably a variant of Win32/TrojanDownloader.PurityScan
Norman 5.80.02 2008.02.26 W32/PurityScan.BQW.dropper
Panda 9.0.0.4 2008.02.27 Adware/Yazzle
Prevx1 V2 2008.02.27 TROJAN.PURITYSCAN.H
Rising 20.33.20.00 2008.02.27 -
Sophos 4.27.0 2008.02.27 Yazzle Installer
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.27 Adware.Purityscan
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.26 Trojan.Win32.Scapur.k
VirusBuster 4.3.26:9 2008.02.26 -
Webwasher-Gateway 6.6.2 2008.02.27 Trojan.Dropper.Scapur.K.18
Additional information
File size: 181965 bytes
MD5: ddad54de15551655dae0dff6275e8dd2
SHA1: 7945a90504fcbfd09eebef3dcad097c62dd784c2
PEiD: -
packers: PE_Patch.PECompact, PecBundle, PECompact
norman sandbox: [ General information ]<br /> * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.<br /> * Accesses executable file from resource section.<br /> * Creating several executable files on hard-drive.<br /> * File length: 181965 bytes.<br /><br /> [ Changes to filesystem ]<br /> * Creates directory C:\WINDOWS\TEMP\.<br /> * Creates file C:\WINDOWS\TEMP\nsr8999.tmp.<br /> * Deletes file C:\WINDOWS\TEMP\nsr8999.tmp.<br /> * Creates file C:\PROGRA~1\Common Files\Yazzle1552OinAdmin.exe.<br /> * Deletes file C:\PROGRA~1\Common Files\Yazzle1552OinUninstaller.exe.<br /> * Creates file C:\WINDOWS\TEMP\mshtml2.exe.<br /> * Deletes file C:\WINDOWS\TEMP\mshtml2.exe.<br /><br /> [ Changes to registry ]<br /> * Creates key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo\".<br /> * Sets value \"Publisher\"=\"Outerinfo\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo\".<br /> * Sets value \"DisplayName\"=\"Outerinfo\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo\".<br /> * Sets value \"UninstallString\"=\"\"C:\PROGRA~1\Common Files\Yazzle1552OinUninstaller.exe\"\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo\".<br /> * Sets value \"HelpLink\"=\"mailto:uninstaller@outerinfo.com\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo\".<br /> * Sets value \"InstallLocation\"=\"C:\PROGRA~1\Common Files\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo\".<br /> * Sets value \"NoModify\"=\"\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo\".<br /> * Sets value \"NoRepair\"=\"\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo\".<br /> * Sets value \"DisplayVersion\"=\"5.2.1552\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo\".<br /> * Sets value \"Append\"=\"oref=5_99001552\" in key \"HKCU\Software\Microsoft\".<br /><br /> [ Signature Scanning ]<br /> * C:\PROGRA~1\Common Files\Yazzle1552OinAdmin.exe (140288 bytes) : W32/PurityScan.BQW.<br /><br />
Prevx info: http://info.prevx.com/aboutprogramtext.asp...14AC600452D9002

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:41 AM

Posted 27 February 2008 - 12:38 AM

Hi SeaFyre,


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\L4351.tmp
C:\WINDOWS\system32\L2C2F.tmp
C:\WINDOWS\system32\L6521.tmp
C:\WINDOWS\system32\LE69D.tmp
C:\WINDOWS\system32\LB982.tmp

Registry:: 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpue"=-	 
"Uedg"=-	
"QdrModule13"=-	
"QdrPack13"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SeaFyre

SeaFyre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 27 February 2008 - 12:51 AM

Hi SifuMike,

Here are the lastest logs:


ComboFix 08-02-25.3 - Owner 2008-02-26 23:47:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\L2C2F.tmp
C:\WINDOWS\system32\L4351.tmp
C:\WINDOWS\system32\L6521.tmp
C:\WINDOWS\system32\LB982.tmp
C:\WINDOWS\system32\LE69D.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\L2C2F.tmp
C:\WINDOWS\system32\L4351.tmp
C:\WINDOWS\system32\L6521.tmp
C:\WINDOWS\system32\LB982.tmp
C:\WINDOWS\system32\LE69D.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-26 23:18 . 2008-02-26 23:18 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-02-26 19:23 . 2008-02-26 19:23 <DIR> d-------- C:\Program Files\RcvSystem
2008-02-21 10:55 . 2008-02-21 10:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 10:49 . 2008-02-21 10:49 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-21 10:49 . 2008-02-21 10:49 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-02-21 10:48 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-02-21 10:32 . 2008-02-21 10:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-21 10:00 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-21 10:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-21 10:00 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-21 10:00 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-21 08:10 . 2008-02-21 08:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-20 22:27 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-20 22:26 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qkmwdsmrkrlg.sys
2008-02-20 22:11 . 2008-02-20 23:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-20 22:11 . 2008-02-20 22:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-20 22:11 . 2008-02-20 22:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-20 22:11 . 2008-02-20 22:11 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-20 18:29 . 2008-02-20 21:55 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-02-18 10:34 . 2008-02-18 10:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 10:34 . 2008-02-18 10:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 10:28 . 2008-02-18 10:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 17:18 . 2008-02-07 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\View22

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 05:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-21 04:54 --------- d-----w C:\Program Files\D-Tools
2008-02-20 20:02 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-18 16:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-22 15:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\foobar2000
2008-01-18 23:25 --------- d-----w C:\Program Files\EFTP
2008-01-09 21:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-05-21 20:43 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-05-21 20:43 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-24 07:21 88363 C:\WINDOWS\AGRSMMSG.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 14:42 212992]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-09 16:09 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-09 16:09 491520]
"StacSysTray"="C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 13:16 102400]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 17:30 73728]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 22:10 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 00:21 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-24 21:05 155648]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 16:05 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-10 23:00:00 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-10 23:00:00 51984]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EFTP\\EFTP3Client.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R2 SigService;Sigmatel Service;C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [2004-04-29 13:15]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 23:48:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-02-26 23:48:46
ComboFix-quarantined-files.txt 2008-02-27 05:48:44
ComboFix2.txt 2008-02-27 01:44:12



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:37 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\F?nts\l?ass.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203609568265
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://merillat.view22.com/view22/roomapp/View22RTE.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://punch1.view22.com/release_3_10_43/View22RTEv4.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sigmatel Service (SigService) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe

--
End of file - 6450 bytes

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:41 AM

Posted 27 February 2008 - 01:11 AM

Hi SeaFyre,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 4.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
If you have trouble downloading Java from the above site, then try this site:
http://www.majorgeeks.com/Sun_Java_Runtime...ment_d4648.html




Please download the OTMoveIt2 by OldTimer.
Please remember how we do this step, as we are likely to have to do it more than once.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
    Important -- Of the three panels shown by OTMoveIt2, only the bottom-most panel should be used. Do NOT use the top panel. See the picture:
    Posted Image
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\F?nts /u

  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" lower panel (under the bottom (yellow) Section Bar bar) window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.



Reboot your computer, post a fresh Hijackthis log, the OTMoveIT2 log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SeaFyre

SeaFyre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 27 February 2008 - 01:54 AM

Hi SifuMike,

No files were moved, but am attaching the log file, plus the newest Hijackthis log.

The pop-ups may be gone. They slowed down considerably after the first couple of steps you gave me to do, but I was still getting some. Will have to monitor for a bit to see if they are completely gone, but at this point it's looking good!


[Custom Input]
< C:\WINDOWS\system32\F?nts /u >
File/Folder C:\WINDOWS\system32\F?nts not found.

OTMoveIt2 v1.0.20 log created on 02272008_003852


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:06 AM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203609568265
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://merillat.view22.com/view22/roomapp/View22RTE.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://punch1.view22.com/release_3_10_43/View22RTEv4.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sigmatel Service (SigService) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe

--
End of file - 6437 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:41 AM

Posted 27 February 2008 - 06:58 PM

Hi SeaFyre,

Your log looks clean. :thumbsup:

How is the computer running?

Edited by SifuMike, 27 February 2008 - 06:58 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SeaFyre

SeaFyre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 27 February 2008 - 07:25 PM

Hi SifuMike,

Not a pop-up in sight!! You've done it! :thumbsup:

Thank you so, so much for all your help, I was totally lost as to what to do. It's ok if I delete all the stuff I used to do the fix, isn't it?

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:41 AM

Posted 27 February 2008 - 10:59 PM

Hi SeaFyre,

Your very welcome. Good job on the cleanup! :thumbsup:

Now we will get rid of all the programs I had you download.


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 27 February 2008 - 11:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SeaFyre

SeaFyre
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 28 February 2008 - 09:42 AM

Hi SifuMike,

Everything looks great now! I am ashamed to admit how seldom I was updating my security software, but I have certainly learned my lesson the hard way. :thumbsup:

Thanks again for all of your help, you saved me from the dreaded reformatting job I was starting to think was my only option. Now if I could just get you to come over here and fix my truck......

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:41 AM

Posted 28 February 2008 - 11:47 AM

Now if I could just get you to come over here and fix my truck......


LOL

Thank you for the kind words..
It's always nice to hear that someone appreciates the help we are giving. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:41 AM

Posted 13 March 2008 - 05:09 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users