Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo Ad Popup


  • This topic is locked This topic is locked
9 replies to this topic

#1 psycho_sideshow

psycho_sideshow

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 17 December 2006 - 03:30 AM

I am able to open Internet Explorer, but nearly ever time a new browser window opens or when I navigate to a new website in my browser, a popup ad appears. Every one of the popup ads says that it is provided by OuterInfo. Some of them I can close immediately but some of the ads make Internet Explorer stop responding and I have to close everything and start over what I was trying to do online. It is very frustrating and I want to stop it before it gets worse!!

Logfile of HijackThis v1.99.1
Scan saved at 2:20:51 AM, on 12/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\PROGRA~1\STEM32~1\explorer.exe
C:\WINDOWS\?ssembly\n?pdb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {DE8677CB-9507-C9AA-2459-EC5B532931E8} - C:\WINDOWS\System32\zfkeoai.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {DE8677CB-9507-C9AA-2459-EC5B532931E8} - C:\WINDOWS\System32\zfkeoai.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Tsac] "C:\PROGRA~1\STEM32~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Zqtnpjw] C:\WINDOWS\?ssembly\n?pdb.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Global Startup: HP Internet Center.lnk = C:\HP Internet\Surfboard\Surfbrd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166325176486
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 PM

Posted 17 December 2006 - 05:35 AM

Hello,

It is important you don't miss a step and perform everything in the right order!!

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


Reboot when done! Really important!

--------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {DE8677CB-9507-C9AA-2459-EC5B532931E8} - C:\WINDOWS\System32\zfkeoai.dll
O2 - BHO: (no name) - {DE8677CB-9507-C9AA-2459-EC5B532931E8} - C:\WINDOWS\System32\zfkeoai.dll
O4 - HKCU\..\Run: [Tsac] "C:\PROGRA~1\STEM32~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Zqtnpjw] C:\WINDOWS\?ssembly\n?pdb.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O20 - AppInit_DLLs:


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't go away, we'll deal with that later...

---------------------

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
    I need the log later.
-------------------------

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post next logs in your following reply:
  • Log from combofix (combofix.txt)
  • Log from AVG Antispyware
  • New HijackThislog
You may need several replies to post the logs in case they won't fit in one reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 psycho_sideshow

psycho_sideshow
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 17 December 2006 - 04:16 PM

Thanks for your help! I will be donating $$$ because I really appreciate this. Here are the logs as requested (from combofix, AVG Antispyware, and Hijackthis).

HP Authorized Custom - 06-12-17 14:59:11.95 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\HP Authorized Custom\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{22640BEA-02DB-1033-0202-000923990001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\ēSKS~1
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\DOBE~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\TSKS~1
C:\QooBox\Purity\Program Files\STEM32~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-17 to 2006-12-17 ))))))))))))))))))))))))))))))))))


2006-12-17 14:15 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-17 14:15 <DIR> d-------- C:\Program Files\Grisoft
2006-12-17 13:56 4 --a------ C:\WINDOWS\UccSpecB.sys
2006-12-17 13:41 <DIR> d-------- C:\WINDOWSCache
2006-12-17 13:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2006-12-17 13:08 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-12-17 13:08 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-12-17 13:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2006-12-17 02:18 <DIR> d-------- C:\Program Files\HijackThis
2006-12-17 02:15 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2006-12-17 02:15 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2006-12-17 02:15 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2006-12-17 02:15 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2006-12-17 02:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2006-12-17 02:01 <DIR> d-------- C:\Program Files\Zone Labs
2006-12-17 02:00 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-17 01:59 13,714,856 --a------ C:\Program Files\zlsSetup_65_737_000_en.exe
2006-12-17 01:20 1,144,839 --a------ C:\Program Files\stng260.exe
2006-12-17 01:07 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-12-17 01:06 2,566,736 --a------ C:\Program Files\spywareblastersetup351.exe
2006-12-17 00:57 <DIR> d--hs---- C:\Config.Msi
2006-12-17 00:57 <DIR> d-------- C:\Program Files\Softwin
2006-12-17 00:55 13,817,440 --a------ C:\Program Files\bitdefender_free_v8.exe
2006-12-17 00:55 <DIR> d-------- C:\Program Files\Common Files\Softwin
2006-12-17 00:14 <DIR> d-------- C:\Documents and Settings\HP Authorized Custom\.housecall6.6
2006-12-16 23:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-16 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-16 23:05 5,037,072 --a------ C:\Program Files\spybotsd14.exe
2006-12-16 21:46 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-16 21:46 <DIR> d-------- C:\Documents and Settings\HP Authorized Custom\Application Data\Lavasoft
2006-12-16 21:44 2,855,080 --a------ C:\Program Files\aawsepersonal.exe
2006-12-16 21:13 465,176 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2006-12-16 21:13 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2006-12-16 21:13 194,328 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll
2006-12-16 21:13 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2006-12-16 21:13 172,312 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe
2006-12-16 21:13 127,256 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2006-12-16 21:13 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-12-16 03:33 69 --a-s---- C:\WINDOWS\test.bat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-17 01:58 17 --a------ C:\Program Files\stng260.opt
2006-12-09 22:06 32 --a------ C:\Documents and Settings\HP Authorized Custom\Application Data\ntl.ini
2006-09-16 23:44 1563 --a------ C:\Documents and Settings\HP Authorized Custom\Application Data\AdobeDLM.log
2006-09-16 23:44 0 --a------ C:\Documents and Settings\HP Authorized Custom\Application Data\dm.ini
2006-09-16 23:05 1951432 --a------ C:\Program Files\ppviewer.exe
2006-09-10 20:09 5438189 --a------ C:\Program Files\3511_enu_w2k_xp_release.zip
2006-09-10 19:23 5443056 --a------ C:\Program Files\3511_enu_w2k_xp_release.exe
2006-09-08 23:53 22470817 --a------ C:\Program Files\gimp-help-2-0.9-setup.zip
2006-09-08 23:47 5112338 --a------ C:\Program Files\gtk+-2.8.18-setup-1.zip
2006-09-08 23:45 7930697 --a------ C:\Program Files\gimp-2.2.13-i586-setup-1.zip
2006-09-08 23:42 1444776 --a------ C:\Program Files\NoteTab_Setup.exe
2006-09-03 05:37 62 --ahs---- C:\Documents and Settings\HP Authorized Custom\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdmcon.exe\""
"BDNewsAgent"="\"C:\\Program Files\\Softwin\\BitDefender8\\bdnagent.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiCwd32"="Aticwd32.exe"
"HPScanPatch"="C:\\WINDOWS\\SYSTEM32\\HPScanFix.exe"
"hpsysdrv"="C:\\WINDOWS\\SYSTEM32\\hpsysdrv.exe"
"USBMMKBD"="usbmmkbd.exe"
"TCASUTIEXE"="TCAUDIAG.EXE -off"
"VsecomrEXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\VSEcomR.EXE"
"VsStatEXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\VSSTAT.EXE /SHOWWARNING"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job

Completion time: 06-12-17 15:01:33.38
C:\ComboFix.txt ... 06-12-17 15:01







---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:51:01 PM 12/17/2006

+ Scan result:



C:\System Volume Information\_restore{249A444A-629A-4213-B41A-4728FA0F86FE}\RP5\A0000193.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup (quarantined).
C:\Documents and Settings\HP Authorized Custom\Local Settings\Temp\b122.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Documents and Settings\HP Authorized Custom\Desktop\OiUninstaller.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{249A444A-629A-4213-B41A-4728FA0F86FE}\RP5\A0000191.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\HP Authorized Custom\Local Settings\Temp\b116.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{22640BEA-02DB-1033-0202-000923990001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{249A444A-629A-4213-B41A-4728FA0F86FE}\RP5\A0000192.EXE -> Downloader.PurityScan.dr : Cleaned with backup (quarantined).
C:\Documents and Settings\HP Authorized Custom\Local Settings\Temp\b104.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Documents and Settings\HP Authorized Custom\Local Settings\Temporary Internet Files\Content.IE5\1KJ2VZPV\checkin[1].htm -> Downloader.Small.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{249A444A-629A-4213-B41A-4728FA0F86FE}\RP5\A0000148.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ib14.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@oasc04.247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@ads.planetactive[2].txt -> TrackingCookie.Planetactive : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Cookies\hp authorized custom@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\HP Authorized Custom\Local Settings\Temp\Cookies\hp authorized custom@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\SYSTEM32\wnstssu.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

#4 psycho_sideshow

psycho_sideshow
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 17 December 2006 - 04:17 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:13:34 PM, on 12/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Global Startup: HP Internet Center.lnk = C:\HP Internet\Surfboard\Surfbrd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166325176486
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 PM

Posted 17 December 2006 - 04:45 PM

Hello,

Your Hijackthislog looks clean again.

Delete next folder if not gone already:

C:\Qoobox

There's something I would like to check though..
Browse to next file:

C:\WINDOWS\test.bat

Don't doubleclick it, but RIGHTClick it and choose "edit".
Notepad will open. Copy and paste the contents what's inside in your next reply.

Also let me know how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 psycho_sideshow

psycho_sideshow
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 17 December 2006 - 05:00 PM

:Repeat
del C:\31888468.exe
if exist C:\31888468.exe goto Repeat


The popup ads don't seem to be appearing anymore, yay! I have a question though. When I reboot my computer the ZoneAlarm firewall comes on and tells me when applications are trying to access the internet. I have been allowing the backweb and bitdefender to access the internet but I'm not sure what this other one is. It says AutoRun is trying to access the Internet. Application: surfbrd.exe. Should I allow or deny that one? In general I should only allow the applications that I recognize to access the internet, correct?

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 PM

Posted 17 December 2006 - 05:16 PM

Hello,

Delete the test.bat.

Concerning your Firewall messages... Actually, backweb is not needed to startup with windows either. So you may disable it via startup. I see you use a program for that to disable programs starting up with Windows, or you can use msconfig > startup.

The surfbrd.exe is OK and is related with your HP Internet Center. HP Internet Center allows you to customize the multimedia keys on the fly without having to go the Control Panel --> Keyboards to change them.
Actually that one is not needed to startup with Windows either, so you may disable it from startup as well.

The same goes for OSA9.EXE, this is related with Microsoft Office, but is a resource hog, so not recommended to startup with windows too.

Good to hear popups are gone now. :thumbsup:

To keep this clean in the future, I would suggest the following things:
  • Don't click on links inside popups.
  • Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
  • Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.
  • Be careful when watching online videos, especially when they ask you to install a certain codec to watch the video. By default, your mediaplayer should already have the necessary codecs installed to watch online videos. In case you're prompted to install an additional codec while trying to watch a movie online, it may be a false alert and this so called codec may install malware. More info here and here.
Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2!
Effective October 11, 2006, Windows XP SP1 and SP1a will transition to a non-supported status. After this date, Microsoft will no longer provide any incident support options or security updates. Existing support documents, however, will continue to be available through the Microsoft Support Product Solution Center Web site.
http://support.microsoft.com/gp/lifean19

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :flowers:

Edited by miekiemoes, 17 December 2006 - 05:17 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 psycho_sideshow

psycho_sideshow
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 17 December 2006 - 05:41 PM

Thank you so much for your help and information!

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 PM

Posted 17 December 2006 - 05:42 PM

Glad I could help :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:41 PM

Posted 22 December 2006 - 05:44 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users