Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Outerinfo


  • Please log in to reply
16 replies to this topic

#1 armorgan

armorgan

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 07 March 2008 - 01:44 AM

Hi all. My computer seems to be infected with outerinfo, yet again. The first time I just did a system restore. I did a search of the threads here and downloaded both Dr web-cure it and super anti spyware but I've run into a few problems following the guides.
When I reboot in safe mode, I can't access Dr. Web. It is no longer on my desktop and when I run a search, it doesn't show up. Also, I've downloaded super anti-spyware and I can't get the program to launch. I saved it to desktop, nothing happens when I try to run it. Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 PM

Posted 07 March 2008 - 09:45 AM

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight any of the following programs (if listed) and select "Remove".

ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX By OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Sudoku by OIN
Yazzle Snowballwars by OIN
Yazzle Kobe Balls! by OIN
Zolero Translator
or anything similar with OIN, Outer Info or Yazzle in them.

Important! Reboot when done.

Open My Computer or Windows Explorer, navigate to C:\Program Files and delete any of the named program folders listed above that you find (if they still exist).

If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, then download and run the Purity Scan uninstaller.
  • Save the Uninstaller to your desktop.
  • Double click on the OiUninstaller.exe icon on your desktop.
  • Click on "Run".
  • Enter the four digit code that is displayed and click on "Uninstall".
  • Click on "Ok" and reboot your computer.
Click here for Instructions with screenshots if needed.

Note: OiUninstaller uses UPX (ultimate packer for executables), an advanced file compressor and a method for compressing executable files to reduce their size to save space on a disk and download time. Some anti-virus programs such as Avast and Kaspersky may detect it as malware when attempting to download or unpack the compressed file.

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

Purity

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Patterns to Search for and Move" (under the yellow bar), and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process.
If asked to reboot, choose Yes.


Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 armorgan

armorgan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 07 March 2008 - 06:39 PM

Ok. small problem. I can't seem to access my add/remove anymore and I'm getting very frustrated. When I start up my computer I get windows errors that say the sytem has recovered from a very serious error. Things seem to be getting worse. Also, I'm not positive that it is outer info anymore because I haven't seen anything from them except the first pop up. I ran a virus scan and it keeps comming up with the same trojans and downloaders, but I can't run the scan in safe mode. ARRRGGHH. Thanks for responding, I'm just not sure what to do anymore.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:29 AM

Posted 07 March 2008 - 07:27 PM

Try this scanner in SafeMode.

Please do an online scan with Kaspersky WebScanner.
  • Hold down your "Shift" key and click on this link: Kaspersky WebScanner, to open the Kaspersky WebScanner in a new window.
  • Click on "Kaspersky Online Scanner".
    • You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on "NEXT".
  • Now click on "Scan Settings".
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Under select a target to scan, select "My Computer".
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Upon completion, click on the "Save as Text" button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 armorgan

armorgan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 08 March 2008 - 03:21 AM

Thank you for your response. Here are the results from the scan.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 08, 2008 3:19:32 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/03/2008
Kaspersky Anti-Virus database records: 612479
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 108767
Number of viruses found: 10
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 01:14:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\U1ER45IJ\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NetMeeting\pyqisody89104.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\Program Files\vol_toolbar\vol_toolbar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.p skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0018010.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0019008.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0020012.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0020019.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0020031.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0021038.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP51\A0021053.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP52\A0022052.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP52\A0024063.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP52\A0024083.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP52\change.log Object is locked skipped
C:\WINDOWS\cru629.dat Infected: Backdoor.Win32.Small.cyb skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\c4\np89104.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\WINDOWS\system32\c4\np89104.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cru629.dat Infected: Backdoor.Win32.Small.cyb skipped
C:\WINDOWS\system32\ddcdabc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\dllcache\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\WINDOWS\system32\drivers\arp13944.sys Infected: Rootkit.Win32.Agent.to skipped
C:\WINDOWS\system32\drivers\beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\WINDOWS\system32\fcccyxx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\mljghij.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\users32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

Scan process completed.

#6 armorgan

armorgan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 08 March 2008 - 04:45 AM

Ok, so I ran the Purity Scan and it uninstalled outer info. I then pasted Purity into the move it program. It came up with this:

File/Folder Purity not found.

OTMoveIt2 v1.0.20 log created on 03082008_044110

I'm still getting pop ups but I'm able to use my add/remove. I'm still finding viruses when I scan with Dr. web, And I still can't use super anti spyware. I want to say thanks again for everyone's help.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 PM

Posted 08 March 2008 - 07:33 AM

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different tools to do the job. Even then, with some types of malware infections, the task can be arduous. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS. In your case, you have several nasty infections that need to be dealt with.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.

Please print out and follow the instructions for using "Vundofix". -- If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • After running VundoFix, a text file named vundofix.txt will automatically be saved to the root of the system drive, usually at C:\vundofix.txt.
  • Please copy & paste the contents of that text file into your next reply.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
  • Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • [green]If you encounter any problems while downloading the updates, manually download them from[/color] here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    Posted Image
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Reports/logs to post in your next reply:
* Report.txt <- SDFix report
* vundofix.txt
* MBAM report log
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 armorgan

armorgan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 10 March 2008 - 12:41 AM

Okay, I just decided to restore.I have Windows XP, I downloaded avg free and super antispyware and I'm already infected again. I removed outerinfo ,AGAIN, from my add/remove, ran antispyware and some trojans and downloaders came up, but nothing comes up when I run it in safe mode. They do keep showing up when I run both antispy and avg in regular mode, though. I'm not having many problems with pop-ups and my computer is not running slowly, but I'm unable to access Task manager and my desktop background has been replaced with a generic ad for spyware removal. I really appreciate the replies and advice everyone has given, and any additional help would be great.

ETA: Both virus and spyware scans show up clean now, but I still can't use task manager and my desktop background is still a link to various spyware removal software. I'm not sure what's going on.

Edited by armorgan, 10 March 2008 - 02:06 AM.


#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:29 AM

Posted 10 March 2008 - 07:36 AM

Generally, system restore only watches a few key files that are part of windows. In addition, many types of malware infect the system restore points. Therefore, using system restore to remove a malware problem is ineffective.

Please follow quiteman7's instructions.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 armorgan

armorgan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 12 March 2008 - 07:40 AM

Malwarebytes' Anti-Malware 1.08
Database version: 480

Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|)
Objects scanned: 85608
Time elapsed: 13 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\180searchassistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP10\A0003341.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP10\A0003344.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP10\A0003345.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP10\A0003352.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\saap.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180searchassistant\sac.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180solutions\sais.exe (Adware.180Solutions) -> Quarantined and deleted successfully.



SDFix: Version 1.156

Run by Adam on Wed 03/12/2008 at 06:34 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\tctwtkbw\1.png - Deleted
C:\WINDOWS\tctwtkbw\2.png - Deleted
C:\WINDOWS\tctwtkbw\3.png - Deleted
C:\WINDOWS\tctwtkbw\4.png - Deleted
C:\WINDOWS\tctwtkbw\5.png - Deleted
C:\WINDOWS\tctwtkbw\6.png - Deleted
C:\WINDOWS\tctwtkbw\7.png - Deleted
C:\WINDOWS\tctwtkbw\8.png - Deleted
C:\WINDOWS\tctwtkbw\9.png - Deleted
C:\WINDOWS\tctwtkbw\bottom-rc.gif - Deleted
C:\WINDOWS\tctwtkbw\config.png - Deleted
C:\WINDOWS\tctwtkbw\content.png - Deleted
C:\WINDOWS\tctwtkbw\download.gif - Deleted
C:\WINDOWS\tctwtkbw\frame-bg.gif - Deleted
C:\WINDOWS\tctwtkbw\frame-bottom-left.gif - Deleted
C:\WINDOWS\tctwtkbw\frame-h1bg.gif - Deleted
C:\WINDOWS\tctwtkbw\head.png - Deleted
C:\WINDOWS\tctwtkbw\icon.png - Deleted
C:\WINDOWS\tctwtkbw\indexwp.html - Deleted
C:\WINDOWS\tctwtkbw\main.css - Deleted
C:\WINDOWS\tctwtkbw\memory-prots.png - Deleted
C:\WINDOWS\tctwtkbw\net.png - Deleted
C:\WINDOWS\tctwtkbw\pc.gif - Deleted
C:\WINDOWS\tctwtkbw\pc-mag.gif - Deleted
C:\WINDOWS\tctwtkbw\poloska1.png - Deleted
C:\WINDOWS\tctwtkbw\poloska2.png - Deleted
C:\WINDOWS\tctwtkbw\poloska3.png - Deleted
C:\WINDOWS\tctwtkbw\promowp1.html - Deleted
C:\WINDOWS\tctwtkbw\promowp2.html - Deleted
C:\WINDOWS\tctwtkbw\promowp3.html - Deleted
C:\WINDOWS\tctwtkbw\promowp4.html - Deleted
C:\WINDOWS\tctwtkbw\promowp5.html - Deleted
C:\WINDOWS\tctwtkbw\reg.png - Deleted
C:\WINDOWS\tctwtkbw\repair.png - Deleted
C:\WINDOWS\tctwtkbw\scr-1.png - Deleted
C:\WINDOWS\tctwtkbw\scr-2.png - Deleted
C:\WINDOWS\tctwtkbw\start.png - Deleted
C:\WINDOWS\tctwtkbw\styles.css - Deleted
C:\WINDOWS\tctwtkbw\top-rc.gif - Deleted
C:\WINDOWS\tctwtkbw\vline.gif - Deleted
C:\WINDOWS\tctwtkbw\wp.png - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted



Folder C:\WINDOWS\PerfInfo - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 06:38:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*:Enabled:BackWeb for Presario"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 8 Mar 2008 213 A.SHR --- "C:\BOOT.BAK"
Mon 7 Nov 2005 32 A.SH. --- "C:\WINDOWS\SMINST\HPCD.SYS"

Finished!




VundoFix V7.0.3

Scan started at 6:45:26 AM 3/12/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...


Okay, here are the reports you needed.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 PM

Posted 12 March 2008 - 08:44 AM

Use OTMoveIT the same as before but this time copy & paste the following path - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\ddcdabc.dll
C:\WINDOWS\system32\fcccyxx.dll
C:\WINDOWS\system32\mljghij.dll
C:\WINDOWS\system32\winivstr.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\snapsnet.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\U1ER45IJ\Installer2[1].exe
C:\Program Files\NetMeeting\pyqisody89104.dll

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved (under the light blue bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
-- You may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose [b]Yes. If not, reboot anyway.

Also let me know how your computer is running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 armorgan

armorgan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 12 March 2008 - 08:53 AM

File/Folder C:\WINDOWS\cru629.dat not found.
File/Folder C:\WINDOWS\system32\cru629.dat not found.
File/Folder C:\WINDOWS\system32\users32.dat not found.
File/Folder C:\WINDOWS\system32\ddcdabc.dll not found.
File/Folder C:\WINDOWS\system32\fcccyxx.dll not found.
File/Folder C:\WINDOWS\system32\mljghij.dll not found.
File/Folder C:\WINDOWS\system32\winivstr.exe not found.
File/Folder C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\snapsnet.exe not found.
File/Folder C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\U1ER45IJ\Installer2[1].exe not found.
File/Folder C:\Program Files\NetMeeting\pyqisody89104.dll not found.
File/Folder not found.

OTMoveIt2 v1.0.21 log created on 03122008_094717


My computer is not running too badly. I'm not having pop ups or anything like that. My biggest problems right now are an error message when I reboot and a game that I had never had problems with before crashing. Although that could be a problem with my video card. While I was waiting for a reply I ran an online scan with Kapersky that said I still have 2 viruses. But all in all it's not too bad.

ETA: my error message says
LoadLibrary(C:\Documents and Settings\All Users\Application Data\afazkzyz.dll') failed.
I don't know if that has anything to do with what you have been helping me with here because I deleted a user account and removed a bunch of the garbage programs that are on my computer when you restore. Thanks again for your replies

Edited by armorgan, 12 March 2008 - 09:02 AM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 PM

Posted 12 March 2008 - 10:56 AM

Its not unusual to receive such an error after using specialized fix tools.

Use OTMoveIT the same as before but this time copy & paste the following path - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

C:\Documents and Settings\All Users\Application Data\afazkzyz.dll

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved (under the light blue bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
-- You may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Then download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
Also let me know what two viruses Kaspersky has found (file name and full path where they are located).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 armorgan

armorgan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 12 March 2008 - 02:35 PM

File/Folder C:\Documents and Settings\All Users\Application Data\afazkzyz.dll not found.

OTMoveIt2 v1.0.21 log created on 03122008_140203

That took care of the startup error message.

Here's the results of the kaspersky scan

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 12, 2008 3:26:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/03/2008
Kaspersky Anti-Virus database records: 626007
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 73830
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:09:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Adam\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Application Data\ApplicationHistory\Explorer.EXE.3c2f65a1.ini.inuse Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\History\History.IE5\MSHist012008031220080313\index.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Temp\Perflib_Perfdata_748.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Temp\Perflib_Perfdata_a84.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Temp\Perflib_Perfdata_a90.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\MHQB2RID\Download_mbam-setup[1].exe Infected: not-a-virus:Downloader.Win32.Keylogger.a skipped
C:\Documents and Settings\Adam\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Adam\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP10\A0003405.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP16\A0005665.exe Infected: not-a-virus:Downloader.Win32.Keylogger.a skipped
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP17\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\elmhwlon.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\L857B.tmp/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.m skipped
C:\WINDOWS\system32\L857B.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.m skipped
C:\WINDOWS\system32\L857B.tmp NSIS: infected - 2 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:29 PM

Posted 12 March 2008 - 05:10 PM

Don't worry about the hits on your SVI folder right now. We will take care of them last. The hit on mbam's set up file looks like a false positive as it is a legit program. This is not unusal for some anti-malware tools.

Use OTMoveIT the same as before but this time copy & paste the following path - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

C:\WINDOWS\elmhwlon.exe
C:\WINDOWS\system32\L857B.tmp

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved (under the light blue bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
-- You may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users