Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Outerinfo Popups


  • This topic is locked This topic is locked
15 replies to this topic

#1 dustanlm

dustanlm

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 27 May 2007 - 07:35 PM

Please Help. My computer is being hammered with popups. This has slowed my computer down immensely from startup. I receive pop up after pop up from outerinfo and also have this in my program list and have been unable to delete it. The pop ups only seem to come after I have an explorer window open. I have downloaded and ran all of the suggested programs before making this post but they did not resolve the problem. I am really in a bind, any help would be greatly appreciated. Thank You!

Logfile of HijackThis v1.99.1
Scan saved at 8:23:54 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\DOCUME~1\DUSTAN~1\MYDOCU~1\ASKS~1\spool32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\dustan marshall\Local Settings\Temp\wzbb13\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE" /FU "C:\WINDOWS\TEMP\E_SDD.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [setup] "rundll32.exe" "C:\WINDOWS\system32\oajeqeqj.dll",realset
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\DUSTAN~1\MYDOCU~1\ASKS~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Bthkel] "C:\Documents and Settings\dustan marshall\My Documents\?dobe\??rss.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:53 PM

Posted 27 May 2007 - 10:24 PM

Hello dustanlm,

I am SifuMike and I will be helping you. :thumbsup:

C:\Documents and Settings\dustan marshall\Local Settings\Temp\wzbb13\HijackThis.exe


You need to put HijackThis into its own folder, but not a temp folder. It won't save the backups if it is run from a temporary folder, and we will be deleting the temp folder.

Here is how to make a Hijackthis folder:

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT".
Now you have C:\HJT\ folder. Put your hijackthis.exe there.

***********************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
***********************

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 27 May 2007 - 10:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 dustanlm

dustanlm
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 28 May 2007 - 11:47 AM

"dustan marshall" - 2007-05-28 12:23:17 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\dustan marshall\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dxkftauh.dll
C:\WINDOWS\system32\isnpjvtl.dll
C:\WINDOWS\system32\oajeqeqj.dll
C:\WINDOWS\system32\awtqpno.dll
C:\WINDOWS\system32\ndompvtu.exe
C:\WINDOWS\system32\jqeqejao.ini
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak2
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak2
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\vtuuvuu.dll
C:\WINDOWS\Fonts\wavesvr.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\outerinfo\Terms.rtf"
"C:\WINDOWS\system32\netp.dll"
"C:\WINDOWS\system32\winnet.dll"
"C:\WINDOWS\system32\wsock.dll"
"C:\WINDOWS\system32\ws_imod.dll"
"C:\WINDOWS\system32\pstore.dll"
"C:\WINDOWS\system32\winload.dll"
"C:\WINDOWS\b136.exe"
"C:\WINDOWS\system32\klikalka.exe"
"C:\WINDOWS\Fonts\ntp2.ini"
"C:\Program Files\outerinfo"
"C:\WINDOWS\system32\drivers\core.sys"

Purity Folders:

C:\Program Files\Common Files\SSTEM~1
C:\Program Files\Common Files\SSEMBL~1
C:\DOCUME~1\DUSTAN~1\MYDOCU~1\ASEMBL~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))


2007-05-28 11:17 <DIR> d-------- C:\HJT
2007-05-27 20:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-05-27 20:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-27 16:03 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Lavasoft
2007-05-27 15:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-27 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-27 11:28 <DIR> d-------- C:\Program Files\Adware Away
2007-05-27 11:01 60,928 --a------ C:\WINDOWS\system32\uaeaa.dll
2007-05-26 09:42 <DIR> d-------- C:\WINDOWS\uifi
2007-05-26 09:42 <DIR> d-------- C:\Program Files\Common Files\uifi
2007-05-26 09:27 <DIR> d--hs---- C:\WINDOWS\ZHVzdGFuIG1hcnNoYWxs
2007-05-25 15:39 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\ArcSoft
2007-05-25 12:33 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-25 12:33 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-25 12:33 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-25 12:33 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-25 12:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-25 12:30 <DIR> d-------- C:\Program Files\Webroot
2007-05-25 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-25 12:28 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Webroot
2007-05-25 10:54 2 --a------ C:\WINDOWS\system32\wintsvtr32.exe
2007-05-23 14:52 8,192 --a------ C:\WINDOWS\system32\msiphelp.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-28 16:35:38 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\uTorrent
2007-05-25 02:36:16 -------- d-----w C:\Program Files\uTorrent
2007-05-04 14:50:58 -------- d-----w C:\Program Files\QuickTime
2007-05-04 14:48:06 -------- d-----w C:\Program Files\Apple Software Update
2007-05-03 03:42:02 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\AdobeUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-07 04:54:31 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\Leadertech
2007-04-07 04:53:45 -------- d-----w C:\Program Files\epson
2007-04-07 04:47:49 -------- d-----w C:\Program Files\ArcSoft
2007-04-07 04:47:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-07 04:45:31 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-06 03:34:48 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Sonic
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 04:54:29 0 --sha-r C:\MSDOS.SYS
2007-03-17 04:54:29 0 --sha-r C:\IO.SYS
2007-03-17 04:54:29 0 ----a-w C:\CONFIG.SYS
2007-03-17 04:54:29 0 ----a-w C:\AUTOEXEC.BAT
2007-03-17 04:51:59 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C079123D-A7A9-FA24-DB07-8EADA9E2219A}=C:\WINDOWS\system32\uaeaa.dll [2007-05-21 09:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 19:11]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-05-24 22:35]
"Sen"="C:\DOCUME~1\DUSTAN~1\MYDOCU~1\ASKS~1\spool32.exe" [2007-05-25 10:53]
"Bthkel"="C:\Documents and Settings\dustan marshall\My Documents\?dobe\??rss.exe" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]


Contents of the 'Scheduled Tasks' folder
2007-05-25 10:58:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-27 08:00:06 C:\WINDOWS\tasks\wrSpySweeper_L9BF86C87E9834A628BD1BF6943A10454.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 12:36:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-28 12:38:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-28 12:38

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 12:42:38 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\DOCUME~1\DUSTAN~1\MYDOCU~1\ASKS~1\spool32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C079123D-A7A9-FA24-DB07-8EADA9E2219A} - C:\WINDOWS\system32\uaeaa.dll
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\DUSTAN~1\MYDOCU~1\ASKS~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Bthkel] "C:\Documents and Settings\dustan marshall\My Documents\?dobe\??rss.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:53 PM

Posted 28 May 2007 - 12:12 PM

Hi dustanlm,

Looks better, we we still have a ways to go.

You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\uaeaa.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only takes a little as couple minutes to as long as a couple of hours to reply.
You can copy/paste the results of scan results here.

*******************************************

Look in your Control Panel under Add/Remove programs for the following:

PuritySCAN By OIN,
Snowballwars by OIN,
OuterInfo
or anything similar ,

If found, click on it and click remove.

If not listed, download and run this uninstaller: http://www.outerinfo.com/OiUninstaller.exe

Reboot when done.

*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."


O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\DUSTAN~1\MYDOCU~1\ASKS~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Bthkel] "C:\Documents and Settings\dustan marshall\My Documents\?dobe\??rss.exe"




*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know. Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\Program Files\PurityScan\ <==folder
C:\DOCUME~1\DUSTAN~1\MYDOCU~1\ASKS~1\spool32.exe <==file
C:\Documents and Settings\dustan marshall\My Documents\?dobe\??rss.exe <==file
Watch out, there is also a legit file called csrss.exe in your system32 folder, that's a legit one and you may NOT delete that one


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to the Normal Mode.

Run ComboFix again.

Post a new Hijackthis log, the Virus Total results, and the ComboFix log.

Edited by SifuMike, 28 May 2007 - 12:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 dustanlm

dustanlm
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 28 May 2007 - 01:29 PM

Hello again SifuMike
Thank you so much for your help, my computer is acting much better already. The only problem I encountered was downloading the Outerinfo uninstaller, which I had previously tried to do before this post. Everytime it just says the page cannot be loaded.

Logfile of HijackThis v1.99.1
Scan saved at 14:21, on 2007-05-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C079123D-A7A9-FA24-DB07-8EADA9E2219A} - C:\WINDOWS\system32\uaeaa.dll
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

"dustan marshall" - 2007-05-28 14:21:01 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\dustan marshall\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\Fonts\ntp2.ini"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))


2007-05-28 14:00 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-05-28 13:57 <DIR> d-------- C:\Program Files\CCleaner
2007-05-28 12:38 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-28 11:17 <DIR> d-------- C:\HJT
2007-05-27 20:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-05-27 20:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-27 16:03 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Lavasoft
2007-05-27 15:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-27 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-27 11:28 <DIR> d-------- C:\Program Files\Adware Away
2007-05-27 11:01 60,928 --a------ C:\WINDOWS\system32\uaeaa.dll
2007-05-26 09:42 <DIR> d-------- C:\WINDOWS\uifi
2007-05-26 09:42 <DIR> d-------- C:\Program Files\Common Files\uifi
2007-05-26 09:27 <DIR> d--hs---- C:\WINDOWS\ZHVzdGFuIG1hcnNoYWxs
2007-05-25 15:39 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\ArcSoft
2007-05-25 12:33 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-25 12:33 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-25 12:33 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-25 12:33 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-25 12:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-25 12:30 <DIR> d-------- C:\Program Files\Webroot
2007-05-25 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-25 12:28 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Webroot
2007-05-25 10:54 2 --a------ C:\WINDOWS\system32\wintsvtr32.exe
2007-05-23 14:52 8,192 --a------ C:\WINDOWS\system32\msiphelp.dll
2007-05-23 14:23 <DIR> d-------- C:\yout


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-28 18:18:40 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\uTorrent
2007-05-25 02:36:16 -------- d-----w C:\Program Files\uTorrent
2007-05-04 14:50:58 -------- d-----w C:\Program Files\QuickTime
2007-05-04 14:48:06 -------- d-----w C:\Program Files\Apple Software Update
2007-05-03 03:42:02 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\AdobeUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-07 04:54:31 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\Leadertech
2007-04-07 04:53:45 -------- d-----w C:\Program Files\epson
2007-04-07 04:47:49 -------- d-----w C:\Program Files\ArcSoft
2007-04-07 04:47:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-07 04:45:31 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-06 03:34:48 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Sonic
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 04:54:29 0 --sha-r C:\MSDOS.SYS
2007-03-17 04:54:29 0 --sha-r C:\IO.SYS
2007-03-17 04:54:29 0 ----a-w C:\CONFIG.SYS
2007-03-17 04:54:29 0 ----a-w C:\AUTOEXEC.BAT
2007-03-17 04:51:59 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C079123D-A7A9-FA24-DB07-8EADA9E2219A}=C:\WINDOWS\system32\uaeaa.dll [2007-05-21 09:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 19:11]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-05-24 22:35]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]


Contents of the 'Scheduled Tasks' folder
2007-05-25 10:58:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-27 08:00:06 C:\WINDOWS\tasks\wrSpySweeper_L9BF86C87E9834A628BD1BF6943A10454.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 14:22:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-28 14:23:18
C:\ComboFix-quarantined-files.txt ... 2007-05-28 14:23
C:\ComboFix2.txt ... 2007-05-28 12:38

--- E O F ---

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.


Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.


STATUS: FINISHEDComplete scanning result of "uaeaa.dll", received in VirusTotal at 05.28.2007, 19:21:39 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.29.0 05.28.2007 no virus found
AntiVir 7.4.0.27 05.28.2007 ADSPY/PurityScan.AK.174
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.28.2007 Win32:Agent-RY
AVG 7.5.0.467 05.28.2007 no virus found
BitDefender 7.2 05.28.2007 no virus found
CAT-QuickHeal 9.00 05.28.2007 no virus found
ClamAV devel-20070416 05.28.2007 no virus found
DrWeb 4.33 05.28.2007 no virus found
eSafe 7.0.15.0 05.28.2007 Spyware.Purityscan
eTrust-Vet 30.7.3670 05.28.2007 no virus found
Ewido 4.0 05.28.2007 Adware.PurityScan
FileAdvisor 1 05.28.2007 No threat detected
Fortinet 2.85.0.0 05.28.2007 Adware/Purityscan
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.28.2007 no virus found
Ikarus T3.1.1.8 05.28.2007 not-a-virus:AdWare.Win32.PurityScan.ak
Kaspersky 4.0.2.24 05.28.2007 not-a-virus:AdWare.Win32.PurityScan.ak
McAfee 5040 05.28.2007 no virus found
Microsoft 1.2503 05.28.2007 no virus found
NOD32v2 2293 05.27.2007 probably a variant of Win32/Adware.PurityScan
Norman 5.80.02 05.28.2007 W32/PurityScan.dam
Panda 9.0.0.4 05.28.2007 Adware/PurityScan
Prevx1 V2 05.28.2007 Trojan.NDrv
Sophos 4.18.0 05.28.2007 ClickSpring
Sunbelt 2.2.907.0 05.26.2007 ClickSpring.PuritySCAN
Symantec 10 05.28.2007 Adware.Purityscan
TheHacker 6.1.6.124 05.28.2007 Adware/PurityScan.ak
VBA32 3.12.0 05.28.2007 AdWare.Win32.PurityScan.ak
VirusBuster 4.3.23:9 05.28.2007 no virus found
Webwasher-Gateway 6.0.1 05.28.2007 Ad-Spyware.PurityScan.AK.174


Aditional Information
File size: 60928 bytes
MD5: 58a29a9dce5d1abc28943567f080245a
SHA1: 0de465208dd61ace144b6d02a9866008dd6c9eb2
packers: PECompact
packers: PECOMPACT
Bit9 info: http://fileadvisor.bit9.com/services/extin...8943567f080245a
packers: PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=aa6597261699
Sunbelt info: PurityScan is an ad supported program that scans the user's Internet Explorer files, including browser cache, cookies and history for pornographic/adult related words and allows the user to delete them.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:53 PM

Posted 28 May 2007 - 02:04 PM

Hi dustanlm,

Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
(Description: Background task installed by Apple’s  iTunes  music player and also by version 7 of  QuickTime  which now comes inseparably bundled with iTunes. If this task is currently running, and you have iTunes open, leave it alone.  That said, this task, usually installed as a startup, does not actually need to be installed as a startup since iTunes starts it up anyway when it needs it.  Let iTunes start it up whenever it needs to, particularly since it has a history of occasionally conflicting with other software and it uses nearly 6Mb of memory.)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
(Description: Apple’s QuickTime Tray Icon which enables you to start QuickTime from the System Tray (from version 5 onward).   Given the extremely simple functionality of this Tray icon, it is in our view an unreasonable resource hog – it has been measured to use as much as 1.5Mb of memory at times in earlier versions, and in version 7 it uses as much as 3.4Mb of memory on our test systems.  Yet, on Windows PCs hardly anyone starts QuickTime manually, whether from the System Tray or otherwise – what usually happens is that the end-user opens a QuickTime movie file or email attachment and Windows then automatically opens QuickTime to enable the end-user to view the movie or video.  There is therefore almost never a need for the end-user to start QuickTime manually from the System Tray. )

*******************************************

Using Windows Explorer, delete the following files/folders in bold

C:\WINDOWS\system32\uaeaa.dll <==file




*******************************************

Let's empty the temp files:

Run CCleaner.

*******************************************


Reboot to your computer.

Run ComboFix again.

Post a new Hijackthis log, and the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 dustanlm

dustanlm
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 28 May 2007 - 03:42 PM

Logfile of HijackThis v1.99.1
Scan saved at 16:37, on 2007-05-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\findstr.exe
C:\ComboFix\mtee.cfexe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C079123D-A7A9-FA24-DB07-8EADA9E2219A} - C:\WINDOWS\system32\uaeaa.dll (file missing)
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)


"dustan marshall" - 2007-05-28 16:36:50 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\dustan marshall\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))


2007-05-28 16:30 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-28 14:00 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-05-28 13:57 <DIR> d-------- C:\Program Files\CCleaner
2007-05-28 12:38 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-28 11:17 <DIR> d-------- C:\HJT
2007-05-27 20:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-05-27 20:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-27 16:03 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Lavasoft
2007-05-27 15:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-27 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-27 11:28 <DIR> d-------- C:\Program Files\Adware Away
2007-05-26 09:42 <DIR> d-------- C:\WINDOWS\uifi
2007-05-26 09:42 <DIR> d-------- C:\Program Files\Common Files\uifi
2007-05-26 09:27 <DIR> d--hs---- C:\WINDOWS\ZHVzdGFuIG1hcnNoYWxs
2007-05-25 15:39 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\ArcSoft
2007-05-25 12:33 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-25 12:33 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-25 12:33 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-25 12:33 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-25 12:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-25 12:30 <DIR> d-------- C:\Program Files\Webroot
2007-05-25 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-25 12:28 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Webroot
2007-05-25 10:54 2 --a------ C:\WINDOWS\system32\wintsvtr32.exe
2007-05-23 14:52 8,192 --a------ C:\WINDOWS\system32\msiphelp.dll
2007-05-23 14:23 <DIR> d-------- C:\yout


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-28 20:36:01 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\uTorrent
2007-05-25 02:36:16 -------- d-----w C:\Program Files\uTorrent
2007-05-04 14:50:58 -------- d-----w C:\Program Files\QuickTime
2007-05-04 14:48:06 -------- d-----w C:\Program Files\Apple Software Update
2007-05-03 03:42:02 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\AdobeUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-07 04:54:31 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\Leadertech
2007-04-07 04:53:45 -------- d-----w C:\Program Files\epson
2007-04-07 04:47:49 -------- d-----w C:\Program Files\ArcSoft
2007-04-07 04:47:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-07 04:45:31 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-06 03:34:48 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Sonic
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 04:54:29 0 --sha-r C:\MSDOS.SYS
2007-03-17 04:54:29 0 --sha-r C:\IO.SYS
2007-03-17 04:54:29 0 ----a-w C:\CONFIG.SYS
2007-03-17 04:54:29 0 ----a-w C:\AUTOEXEC.BAT
2007-03-17 04:51:59 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C079123D-A7A9-FA24-DB07-8EADA9E2219A}=C:\WINDOWS\system32\uaeaa.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 19:11]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-05-24 22:35]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]


Contents of the 'Scheduled Tasks' folder
2007-05-25 10:58:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-27 08:00:06 C:\WINDOWS\tasks\wrSpySweeper_L9BF86C87E9834A628BD1BF6943A10454.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 16:38:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-28 16:38:35
C:\ComboFix-quarantined-files.txt ... 2007-05-28 16:38
C:\ComboFix2.txt ... 2007-05-28 14:23
C:\ComboFix3.txt ... 2007-05-28 12:38

--- E O F ---

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:53 PM

Posted 28 May 2007 - 05:07 PM

Hi dustanlm,

Looks much better. :thumbsup: Just some minor cleanup to do now.

I see these two item in your running processes:
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\findstr.exe



Where you using the findstr command and leave it running?

*******************************************

You will need to disable Spy Sweeper while we use Hijackthis, as it will prevent registry changes.

To disable SpySweeper:
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.

After we have your computer clean, then you can enable it.


In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {C079123D-A7A9-FA24-DB07-8EADA9E2219A} - C:\WINDOWS\system32\uaeaa.dll (file missing)



Let's empty the temp files:

Run CCleaner.


Reboot to your computer.

Run ComboFix again.

Post a new Hijackthis log, and the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 dustanlm

dustanlm
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 28 May 2007 - 09:48 PM

Since I am really not familiar with 'findsrt' I would be under the assumption that I wasn't using it. I am sure at times you have to work with some pretty computer 'illiterate' individuals, so I apologize for my lack of knowledge in this area :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 10:43:19 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C079123D-A7A9-FA24-DB07-8EADA9E2219A} - C:\WINDOWS\system32\uaeaa.dll (file missing)
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
"dustan marshall" - 2007-05-28 22:39:54 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\dustan marshall\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))


2007-05-28 16:30 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-28 14:00 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-05-28 13:57 <DIR> d-------- C:\Program Files\CCleaner
2007-05-28 12:38 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-28 11:17 <DIR> d-------- C:\HJT
2007-05-27 20:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-05-27 20:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-27 16:03 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Lavasoft
2007-05-27 15:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-27 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-27 11:28 <DIR> d-------- C:\Program Files\Adware Away
2007-05-26 09:42 <DIR> d-------- C:\WINDOWS\uifi
2007-05-26 09:42 <DIR> d-------- C:\Program Files\Common Files\uifi
2007-05-26 09:27 <DIR> d--hs---- C:\WINDOWS\ZHVzdGFuIG1hcnNoYWxs
2007-05-25 15:39 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\ArcSoft
2007-05-25 12:33 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-25 12:33 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-25 12:33 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-25 12:33 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-25 12:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-25 12:30 <DIR> d-------- C:\Program Files\Webroot
2007-05-25 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-25 12:28 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Webroot
2007-05-25 10:54 2 --a------ C:\WINDOWS\system32\wintsvtr32.exe
2007-05-23 14:52 8,192 --a------ C:\WINDOWS\system32\msiphelp.dll
2007-05-23 14:23 <DIR> d-------- C:\yout


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-29 02:39:24 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\uTorrent
2007-05-25 02:36:16 -------- d-----w C:\Program Files\uTorrent
2007-05-04 14:50:58 -------- d-----w C:\Program Files\QuickTime
2007-05-04 14:48:06 -------- d-----w C:\Program Files\Apple Software Update
2007-05-03 03:42:02 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\AdobeUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-07 04:54:31 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\Leadertech
2007-04-07 04:53:45 -------- d-----w C:\Program Files\epson
2007-04-07 04:47:49 -------- d-----w C:\Program Files\ArcSoft
2007-04-07 04:47:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-07 04:45:31 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-06 03:34:48 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Sonic
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 04:54:29 0 --sha-r C:\MSDOS.SYS
2007-03-17 04:54:29 0 --sha-r C:\IO.SYS
2007-03-17 04:54:29 0 ----a-w C:\CONFIG.SYS
2007-03-17 04:54:29 0 ----a-w C:\AUTOEXEC.BAT
2007-03-17 04:51:59 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C079123D-A7A9-FA24-DB07-8EADA9E2219A}=C:\WINDOWS\system32\uaeaa.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 19:11]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-05-24 22:35]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]


Contents of the 'Scheduled Tasks' folder
2007-05-25 10:58:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-27 08:00:06 C:\WINDOWS\tasks\wrSpySweeper_L9BF86C87E9834A628BD1BF6943A10454.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 22:41:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-28 22:41:21
C:\ComboFix-quarantined-files.txt ... 2007-05-28 22:41
C:\ComboFix2.txt ... 2007-05-28 16:38
C:\ComboFix3.txt ... 2007-05-28 14:23

--- E O F ---

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:53 PM

Posted 28 May 2007 - 10:15 PM

Hi dustanlm,

Looks like the Hijackthis fix did not work. :thumbsup:

The normal reason it does not work it the you have a registry protector active, or you left a window open (close browser/explorer windows), while using Hijackthis.

So lets try the fix again. :flowers: If it does not work this time I will have to use a registry fix.

You will need to disable Spy Sweeper while we use Hijackthis, as it will prevent registry changes.

To disable SpySweeper:
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.
After we have your computer clean, then you can enable it.


In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {C079123D-A7A9-FA24-DB07-8EADA9E2219A} - C:\WINDOWS\system32\uaeaa.dll (file missing)


Reboot to your computer.


You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
C:\WINDOWS\system32\wintsvtr32.exe
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

then repeat the above with this file
C:\WINDOWS\system32\msiphelp.dll


Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.



Run ComboFix again.

Post a new Hijackthis log, the Virus Total results, and the ComboFix log. :huh:

Edited by SifuMike, 28 May 2007 - 10:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 dustanlm

dustanlm
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 28 May 2007 - 11:34 PM

Complete scanning result of "wintsvtr32.exe", received in VirusTotal at 05.29.2007, 06:10:13 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.29.0 05.28.2007 no virus found
AntiVir 7.4.0.27 05.28.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.28.2007 no virus found
AVG 7.5.0.467 05.28.2007 no virus found
BitDefender 7.2 05.29.2007 no virus found
CAT-QuickHeal 9.00 05.28.2007 no virus found
ClamAV devel-20070416 05.29.2007 no virus found
DrWeb 4.33 05.28.2007 no virus found
eSafe 7.0.15.0 05.28.2007 Win32.Xorpix.al
eTrust-Vet 30.7.3670 05.28.2007 no virus found
Ewido 4.0 05.28.2007 Trojan.Small
FileAdvisor 1 05.29.2007 No threat detected
Fortinet 2.85.0.0 05.29.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.29.2007 no virus found
Ikarus T3.1.1.8 05.28.2007 no virus found
Kaspersky 4.0.2.24 05.29.2007 no virus found
McAfee 5040 05.28.2007 no virus found
Microsoft 1.2503 05.29.2007 no virus found
NOD32v2 2294 05.28.2007 no virus found
Norman 5.80.02 05.28.2007 no virus found
Panda 9.0.0.4 05.28.2007 no virus found
Prevx1 V2 05.29.2007 Polymorphic Trojans
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.29.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.28.2007 no virus found
Webwasher-Gateway 6.0.1 05.29.2007 no virus found


Aditional Information
File size: 2 bytes
MD5: 4f3dd0ffb3e41c5f74b5b0d8c1f10bb5
SHA1: e688cf7414fb701c4495010d43a4eaaaeac71768
Bit9 info: http://fileadvisor.bit9.com/services/extin...4b5b0d8c1f10bb5
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=4f3d691635

Complete scanning result of "msiphelp.dll", received in VirusTotal at 05.29.2007, 06:20:43 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.29.0 05.28.2007 no virus found
AntiVir 7.4.0.27 05.28.2007 TR/Spy.Nukulus.A.4
Authentium 4.93.8 05.23.2007 W32/Downloader2.DBW
Avast 4.7.997.0 05.28.2007 no virus found
AVG 7.5.0.467 05.28.2007 Generic4.RKN
BitDefender 7.2 05.29.2007 Trojan.Spy.Nuklus.A
CAT-QuickHeal 9.00 05.28.2007 no virus found
ClamAV devel-20070416 05.29.2007 no virus found
DrWeb 4.33 05.28.2007 no virus found
eSafe 7.0.15.0 05.28.2007 Win32.Agent.aet
eTrust-Vet 30.7.3670 05.28.2007 no virus found
Ewido 4.0 05.28.2007 Trojan.Agent.aet
FileAdvisor 1 05.29.2007 No threat detected
Fortinet 2.85.0.0 05.29.2007 W32/Agent.AET!tr
F-Prot 4.3.2.48 05.25.2007 W32/Downloader2.DBW
F-Secure 6.70.13030.0 05.29.2007 Trojan.Win32.Agent.aet
Ikarus T3.1.1.8 05.28.2007 Trojan.Win32.Agent.aet
Kaspersky 4.0.2.24 05.29.2007 Trojan.Win32.Agent.aet
McAfee 5040 05.28.2007 Generic PWS.o
Microsoft 1.2503 05.29.2007 VirTool:Win32/Obfuscator.C
NOD32v2 2294 05.28.2007 no virus found
Norman 5.80.02 05.28.2007 no virus found
Panda 9.0.0.4 05.28.2007 Trj/Downloader.MDW
Prevx1 V2 05.29.2007 no virus found
Sophos 4.18.0 05.28.2007 Mal/EncPk-H
Sunbelt 2.2.907.0 05.26.2007 Infostealer.Nuklus
Symantec 10 05.29.2007 Infostealer.Nuklus
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 Trojan.Win32.Agent.aet
VirusBuster 4.3.23:9 05.28.2007 Trojan.Agent.HOK
Webwasher-Gateway 6.0.1 05.29.2007 Trojan.Spy.Nukulus.A.4


Aditional Information
File size: 8192 bytes
MD5: fa7b24d764fc247627d04cad494308a8
SHA1: 18df884441d9ca4eefb773639268972a0481207b
Bit9 info: http://fileadvisor.bit9.com/services/extin...7d04cad494308a8

Logfile of HijackThis v1.99.1
Scan saved at 00:29, on 2007-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)


"dustan marshall" - 2007-05-29 0:28:49 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\dustan marshall\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-28 16:30 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-28 14:00 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-05-28 13:57 <DIR> d-------- C:\Program Files\CCleaner
2007-05-28 12:38 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-28 11:17 <DIR> d-------- C:\HJT
2007-05-27 20:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-05-27 20:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-27 16:03 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Lavasoft
2007-05-27 15:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-27 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-27 11:28 <DIR> d-------- C:\Program Files\Adware Away
2007-05-26 09:42 <DIR> d-------- C:\WINDOWS\uifi
2007-05-26 09:42 <DIR> d-------- C:\Program Files\Common Files\uifi
2007-05-26 09:27 <DIR> d--hs---- C:\WINDOWS\ZHVzdGFuIG1hcnNoYWxs
2007-05-25 15:39 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\ArcSoft
2007-05-25 12:33 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-25 12:33 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-25 12:33 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-25 12:33 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-25 12:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-25 12:30 <DIR> d-------- C:\Program Files\Webroot
2007-05-25 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-25 12:28 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Webroot
2007-05-25 10:54 2 --a------ C:\WINDOWS\system32\wintsvtr32.exe
2007-05-23 14:52 8,192 --a------ C:\WINDOWS\system32\msiphelp.dll
2007-05-23 14:23 <DIR> d-------- C:\yout


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-29 04:29:33 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\uTorrent
2007-05-25 02:36:16 -------- d-----w C:\Program Files\uTorrent
2007-05-04 14:50:58 -------- d-----w C:\Program Files\QuickTime
2007-05-04 14:48:06 -------- d-----w C:\Program Files\Apple Software Update
2007-05-03 03:42:02 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\AdobeUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-07 04:54:31 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\Leadertech
2007-04-07 04:53:45 -------- d-----w C:\Program Files\epson
2007-04-07 04:47:49 -------- d-----w C:\Program Files\ArcSoft
2007-04-07 04:47:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-07 04:45:31 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-06 03:34:48 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Sonic
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 04:54:29 0 --sha-r C:\MSDOS.SYS
2007-03-17 04:54:29 0 --sha-r C:\IO.SYS
2007-03-17 04:54:29 0 ----a-w C:\CONFIG.SYS
2007-03-17 04:54:29 0 ----a-w C:\AUTOEXEC.BAT
2007-03-17 04:51:59 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 19:11]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-05-24 22:35]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]


Contents of the 'Scheduled Tasks' folder
2007-05-25 10:58:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-27 08:00:06 C:\WINDOWS\tasks\wrSpySweeper_L9BF86C87E9834A628BD1BF6943A10454.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 00:29:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-29 0:30:15
C:\ComboFix-quarantined-files.txt ... 2007-05-29 00:30
C:\ComboFix2.txt ... 2007-05-28 22:41
C:\ComboFix3.txt ... 2007-05-28 16:38

--- E O F ---

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:53 PM

Posted 28 May 2007 - 11:47 PM

Hi dustanlm,

Lets get rid of this malware. :thumbsup:

Using Windows Explorer, delete the following files in bold

C:\WINDOWS\system32\wintsvtr32.exe <==file
C:\WINDOWS\system32\msiphelp.dll <==file

Run ComboFix again, and post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 dustanlm

dustanlm
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 29 May 2007 - 09:12 AM

"dustan marshall" - 2007-05-29 10:06:28 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\dustan marshall\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-28 16:30 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-28 14:00 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-05-28 13:57 <DIR> d-------- C:\Program Files\CCleaner
2007-05-28 12:38 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-28 11:17 <DIR> d-------- C:\HJT
2007-05-27 20:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-05-27 20:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-27 16:03 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Lavasoft
2007-05-27 15:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-27 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-27 11:28 <DIR> d-------- C:\Program Files\Adware Away
2007-05-26 09:42 <DIR> d-------- C:\WINDOWS\uifi
2007-05-26 09:42 <DIR> d-------- C:\Program Files\Common Files\uifi
2007-05-26 09:27 <DIR> d--hs---- C:\WINDOWS\ZHVzdGFuIG1hcnNoYWxs
2007-05-25 15:39 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\ArcSoft
2007-05-25 12:33 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-25 12:33 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-05-25 12:33 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-25 12:33 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-25 12:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-05-25 12:30 <DIR> d-------- C:\Program Files\Webroot
2007-05-25 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-05-25 12:28 <DIR> d-------- C:\DOCUME~1\DUSTAN~1\APPLIC~1\Webroot
2007-05-23 14:23 <DIR> d-------- C:\yout


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-29 13:59:18 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\uTorrent
2007-05-25 02:36:16 -------- d-----w C:\Program Files\uTorrent
2007-05-04 14:50:58 -------- d-----w C:\Program Files\QuickTime
2007-05-04 14:48:06 -------- d-----w C:\Program Files\Apple Software Update
2007-05-03 03:42:02 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\AdobeUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-07 04:54:31 -------- d-----w C:\DOCUME~1\DUSTAN~1\APPLIC~1\Leadertech
2007-04-07 04:53:45 -------- d-----w C:\Program Files\epson
2007-04-07 04:47:49 -------- d-----w C:\Program Files\ArcSoft
2007-04-07 04:47:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-07 04:45:31 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-06 03:34:48 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Sonic
2007-04-06 03:34:47 -------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 04:54:29 0 --sha-r C:\MSDOS.SYS
2007-03-17 04:54:29 0 --sha-r C:\IO.SYS
2007-03-17 04:54:29 0 ----a-w C:\CONFIG.SYS
2007-03-17 04:54:29 0 ----a-w C:\AUTOEXEC.BAT
2007-03-17 04:51:59 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 19:11]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-05-24 22:35]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]


Contents of the 'Scheduled Tasks' folder
2007-05-25 10:58:04 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-29 08:00:11 C:\WINDOWS\tasks\wrSpySweeper_L9BF86C87E9834A628BD1BF6943A10454.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 10:07:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-29 10:07:47
C:\ComboFix-quarantined-files.txt ... 2007-05-29 10:07
C:\ComboFix2.txt ... 2007-05-29 00:30
C:\ComboFix3.txt ... 2007-05-28 22:41

--- E O F ---

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:53 PM

Posted 29 May 2007 - 12:22 PM

Hello dustanlm,

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.



Please read and follow How did I get infected?, With steps so it does not happen again!

If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 dustanlm

dustanlm
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 29 May 2007 - 09:37 PM

Just wanted to extend my gratitude again. Thank you so much for your help man. Take care!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users