Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me Destroy Outerinfo Popups


  • This topic is locked This topic is locked
5 replies to this topic

#1 Yard Sale

Yard Sale

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 07 July 2006 - 12:28 PM

I could really use some help getting rid of these friggin Outerinfo popups. They pop up several times a minute and really are interfering with my ability to focus and work. I've run through all the steps in the "Read this topic before posting a log," so without further ado, here's my HJT log. Thanks for the help!

Logfile of HijackThis v1.99.1
Scan saved at 11:26:30 AM, on 7/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\?ssembly\m?dtc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\SSTEM3~1\mmc.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\ProPoster\ProPoster.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LexisNexis\Cost Recovery Manager\lncomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thelink.irwl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5979331C-5EDF-4417-A129-B49BFF4BC767} - C:\WINNT\system32\mllml.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: LexisNexis ToolBar - {E92748B4-AFCC-4533-8876-DB99FD857949} - C:\Program Files\LexisNexis\Cost Recovery Manager\LNToolBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: LexisNexis ToolBar - {E92748B4-AFCC-4533-8876-DB99FD857949} - C:\Program Files\LexisNexis\Cost Recovery Manager\LNToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Ad Annihilator - {A1C18A7B-55E9-4DA3-A880-D112C791A9D8} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Workshare3GW] C:\Program Files\Workshare\Modules\WMConfigAssistant.exe /userinit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Oute] "C:\WINNT\SSTEM3~1\mmc.exe" -vt ndrv
O4 - HKCU\..\Run: [Wckauow] C:\WINNT\?ssembly\m?dtc.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: [Add to organizer] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250
O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245
O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/d68af6d45f...d6ae3cf4_21.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = irwl.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = irwl.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = irwl.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = irwl.local
O18 - Protocol: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll
O20 - AppInit_DLLs: ptapisp.dll c:\winnt\system32\
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: winamp32 - winamp32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:38 AM

Posted 08 July 2006 - 08:38 PM

Hello and welcome to the Bleeping Computers :thumbsup:

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable SpySweeper:
Open Spysweeper and click on Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notification".

=========================================

Download and install Ewido Antimalware 4.0 .
  • Open Ewido AntiMalware
  • Go to Status menu
  • Click change status on Resident shield to inactive Under "Your computers Security"
Update but Do not scan with it yet.

========================================

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

=========================================

Go to Start > Control Panel > Add/Remove Programs and uninstall the following programs if listed:

Oin
OuterInfo
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it


Reboot and delete this folder if found:
C:\Program Files\PurityScan

If not listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

======================================

Find this file and right click on it. (It's probably in system32) Click the version tab and find the manufacturer and original filename please. Note down the file path. It's probably this: C:\WINNT\SSTEM32\ptapisp.dll

ptapisp.dll

Then please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste the file with its filepath:

C:\WINNT\SSTEM32\ptapisp.dll (probably)

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

======================================

Reboot your computer in Safe Mode using the F8 method below.

a. If the computer is running, shut down Windows, and then turn off the power.
b. Wait 30 seconds, and then turn the computer on.
c. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
d. Ensure that the Safe Mode option is selected.
e. Press Enter. The computer then begins to start in Safe mode.

======================================

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5979331C-5EDF-4417-A129-B49BFF4BC767} - C:\WINNT\system32\mllml.dll (file missing)
O4 - HKCU\..\Run: [Oute] "C:\WINNT\SSTEM3~1\mmc.exe" -vt ndrv
O4 - HKCU\..\Run: [Wckauow] C:\WINNT\?ssembly\m?dtc.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sy...nnerInstall.cab
O20 - Winlogon Notify: winamp32 - winamp32.dll (file missing


Close all other browsers/windows/applications/email, etc., except HijackThis, and click fix checked.

======================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

========================================

From Safe Mode Run Ewido AntiMalware
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
  • When the scan is complete click Recommended Action and change it to Quarantine
  • Then click Apply all actions
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop
NOTE: Ewido scan may need an hour.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel

=========================================

Reboot in Normal Mode

=========================================

Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 7 .
You are running an old vulnerable version of Java.
  • Go to Start > Control Panel > Add/Remove Programs.
  • Search for all previous installed versions of Java. (J2SE Runtime Environment.... ) and delete them.
  • It/they should have this icon next to it/them: Posted Image
  • Then download and install the newest version. 1.5.07 from here.
==========================================

You had a trojan called "lowZone-I" which lowers the Internet Explorer settings. Let's check your settings.

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

===========================================

Finally, Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan. (use Internet Explorer)
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Once finished, click see report, then click Save report and save it to your desktop.
NOTE: Please ignore any entry it finds and the offer to buy the program to remove the entry.

===========================================

Scan with HijackThis again. Please post back the new HijackThis log along with the Ewido log and the Panda online scan results.

#3 Yard Sale

Yard Sale
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 11 July 2006 - 09:09 AM

Thanks for the help!! :thumbsup:

So far, I have:
1. uninstalled spysweeper
2. installed Ewido Antimalware 4.0
3. updated Ewido
4. Downloaded Ccleaner and saved it to my desktop, then installed it.
5. Checked to see if any of the following were installed (none of them were): Oin; Outerinfo; Yazzle by Oin; Purityscan by Oin; Snowballers by Oin; Cowabanga by Oin; and anything else with Oin.
6. Found file ptapisp.dll and determined the original filename and company name: PTAPISP.DLL, and Equitrac Corporation.
7. Scanned PTAPISP.DLL with Jotti and got the following result:


File: PTAPISP.DLL
Status: OK
MD5 d4685c84006d54581b75b8a52f0b5cb6
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


I am now going to reboot into safe mode and run the HJT scan. I'll post those results shortly.

#4 Yard Sale

Yard Sale
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 11 July 2006 - 10:29 AM

OK,
1. I rebooted in safe mode
2. I ran HJT, and fixed the items you told me to fix. However, several items weren't there, including "R3 - URLSearchhook: (no name)...," "04 - HKCU\...\Run: [Oute]...," and "04 - HKCU\...\Run: [Wckauow]..."
3. I ran Ccleaner from safe mode following your exact instructions.
4. I ran Ewido and saved the report. Here it is:


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:48:46 AM 7/11/2006

+ Scan result:



HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{02946FD1-2D99-46E6-A790-3A089714EDD9} -> Adware.SysProtect : Cleaned with backup (quarantined).
C:\WINNT\system32\opnliii.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Міcrosoft\dllhost.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).


::Report end


5. I rebooted in normal mode.
6. I unstalled Java 1.5.06 and installed 1.5.07
7. I checked my IE settings to make sure they corresponded to those you listed.
8. I tried to run an online scan with Panda but it wouldn't work. I got so far as having entered my location and email, but nothing happened after that...
9. Finally, I ran one last HJT scan. Here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 9:27:47 AM, on 7/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LexisNexis\Cost Recovery Manager\lncomm.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thelink.irwl.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: LexisNexis ToolBar - {E92748B4-AFCC-4533-8876-DB99FD857949} - C:\Program Files\LexisNexis\Cost Recovery Manager\LNToolBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Ad Annihilator - {A1C18A7B-55E9-4DA3-A880-D112C791A9D8} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O3 - Toolbar: LexisNexis ToolBar - {E92748B4-AFCC-4533-8876-DB99FD857949} - C:\Program Files\LexisNexis\Cost Recovery Manager\LNToolBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Workshare3GW] C:\Program Files\Workshare\Modules\WMConfigAssistant.exe /userinit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: [Add to organizer] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250
O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245
O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/d68af6d45f...d6ae3cf4_21.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = irwl.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = irwl.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = irwl.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = irwl.local
O18 - Protocol: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll
O20 - AppInit_DLLs: ptapisp.dll c:\winnt\system32\
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


Thanks for your help!! :thumbsup:

#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:38 AM

Posted 11 July 2006 - 11:14 AM

You're doing very well. Thank you.

Just a question: Did you run the PurityScan uninstaller?

If not listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
Tutorial for the uninstaller if needed

Please download
VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Please post the contents of C:\vundofix.txt and a new HiJackThis log.

I tried to run an online scan with Panda but it wouldn't work. I got so far as having entered my location and email, but nothing happened after that...

It requires your permission for Active X. We changed the setting to "Change the Download signed ActiveX controls to Prompt " Try pressing the CTRL key when it prompts you about the Active X.

If you are still having problems, try this:

http://housecall.trendmicro.com/

Click on "Scan Now, it's free"
Choose Your Country and click on "Go"
Click on "Start Free Scan Now"


Post the results please.


#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:38 AM

Posted 16 July 2006 - 08:26 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users