Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

POP UPS From OUTERINFO

Started by robbiegee , Jan 21 2007 01:54 PM

Please log in to reply

#1
robbiegee

Posted 21 January 2007 - 01:54 PM

Member

Member
11 posts

Hey everyone. I am having problems on my family's computer. One day pop ups just started coming from OUTERINFO. I have had problems from other things in the past and have successfully got rid of those problems. However, this is something that I cannot get rid of. I have ran spy-bot, ccleaner, and a few other different programs, but the problem still continues. A friend of mine recommended to give Geeks to Go a try by posting a Hijack this log.

I was hoping that someone out here can give me a hand.

My family and I will really appreciate any help.

Here is my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 2:38:52 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{28EAC647-0892-1033-1014-030106000001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SSTEM3~1\notepad.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\?icrosoft.NET\?ti2evxx.exe
C:\Documents and Settings\Fred\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: (no name) - {ACFBA787-3E3C-6DCC-4D3A-3EC6294E6791} - C:\WINDOWS\system32\rxsdpomj.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ACFBA787-3E3C-6DCC-4D3A-3EC6294E6791} - C:\WINDOWS\system32\rxsdpomj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{28EAC647-0892-1033-1014-030106000001}] "C:\Program Files\Common Files\{28EAC647-0892-1033-1014-030106000001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [{28EAC647-0893-1033-1014-030106000001}] "C:\Program Files\Common Files\{28EAC647-0893-1033-1014-030106000001}\Update.exe" te-110-12-0000213
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uhun] "C:\PROGRA~1\COMMON~1\SSTEM3~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Ksckqsd] C:\Program Files\?icrosoft.NET\?ti2evxx.exe
O4 - HKCU\..\Run: [qzro] C:\Program Files\Common Files\qzro\qzrom.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

Thanks everybody.

#2
rem

Posted 21 January 2007 - 02:13 PM

Visiting Staff

Member
464 posts

Hi robbiegee and welcome to 'geeks to go' :blink:

My name is Colin & I will be helping you to resolve this problem.

Please give me a little time to anlalyse your log & I'll get back to you ASAP :whistling:

#3
robbiegee

Posted 21 January 2007 - 02:53 PM

Member

Topic Starter
Member
11 posts

Thanks rem. I greatly appreciate it.

#4
rem

Posted 21 January 2007 - 03:47 PM

Visiting Staff

Member
464 posts

Hi robbiegee, welcome back. :whistling:

I greatly appreciate it.

No problem.

We've got quite a few nasties here so this going to take several steps to fix.
Right let's get started.

Step 1
You are currently using HijackThis from the desktop, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a folder on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that folder from now on.
DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL ASKED TO DO SO, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Step 2
Please open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Step 3
1. Please download ComboFix.exe using either of these links:

BleepingComputer

Techsupportforum.com

2. Double click on combofix.exe & follow the prompts to allow the tool to run.

3. When it has finished, it will produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Step 4
To recap, please post back:
1) Uninstall list from Step 2
2) Combofix log from Step 3
3) A fresh HijackThis log (run from C:\HJT) & we'll take things from there.

Colin. :blink:

#5
robbiegee

Posted 22 January 2007 - 02:37 PM

Member

Topic Starter
Member
11 posts

Thanks Colin for your help and patience. Here is the things you requested.

Uninstall list. (Note I see the Outer info program there, but I have removed it many times, it does not solve the problem, and it keeps popping up in there.)

Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.7
AutoCAD Learning Assistance
AutoCAD R14.0
CCleaner (remove only)
eTrust EZ Antivirus
eTrust EZ Armor
HijackThis 1.99.1
Intel® PRO Network Adapters and Drivers
iTunes
Macromedia Flash Player 8
Microsoft Office Professional Edition 2003
Outerinfo
PowerDVD
QuickTime
Realtek AC'97 Audio
Spybot - Search & Destroy 1.4
Windows XP Service Pack 2
Yahoo! Anti-Spy
Yahoo! Install Manager
Yahoo! Toolbar for Internet Explorer

Here is my Combofix log:

"Fred" - 07-01-22 15:22:51 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\unsvchosts.lzma
C:\Program Files\Common Files\{28EAC~2
C:\Program Files\Outerinfo
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\{28EAC~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\ECURIT~1
C:\qoobox\purity\Program Files\ICROSO~1.NET
C:\qoobox\purity\Program Files\Common Files\SSTEM3~1
C:\qoobox\purity\Program Files\Common Files\TSKS~1
C:\qoobox\purity\Program Files\Common Files\SSTEM3~1\notepad.exe
C:\qoobox\purity\Program Files\Common Files\SSTEM3~1\s?stem32
C:\qoobox\purity\Program Files\ICROSO~1.NET\?ti2evxx.exe

((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))

2007-01-22 15:25 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-22 15:21 849,830 --a------ C:\combofix.exe
2007-01-21 15:18 <DIR> d-------- C:\HJT
2007-01-20 16:14 60,416 --a------ C:\WINDOWS\system32\rxsdpomj.dll
2007-01-16 15:49 2 --a------ C:\WINDOWS\system32\wapisvtr.exe
2007-01-15 14:28 <DIR> d-------- C:\Program Files\CCleaner
2007-01-14 16:16 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-14 14:20 <DIR> d-------- C:\WINDOWS\qzro
2007-01-14 14:20 <DIR> d-------- C:\Program Files\Common Files\qzro

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-13 16:16 -------- d---s---- C:\Documents and Settings\Fred\Application Data\microsoft

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Uhun"="\"C:\\PROGRA~1\\COMMON~1\\SSTEM3~1\\notepad.exe\" -vt yazb"
"Ksckqsd"="C:\\Program Files\\?icrosoft.NET\\?ti2evxx.exe"
"qzro"="C:\\Program Files\\Common Files\\qzro\\qzrom.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

Completion time: 07-01-22 15:28:08

And here is my fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:35:20 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: (no name) - {ACFBA787-3E3C-6DCC-4D3A-3EC6294E6791} - C:\WINDOWS\system32\rxsdpomj.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ACFBA787-3E3C-6DCC-4D3A-3EC6294E6791} - C:\WINDOWS\system32\rxsdpomj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uhun] "C:\PROGRA~1\COMMON~1\SSTEM3~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Ksckqsd] C:\Program Files\?icrosoft.NET\?ti2evxx.exe
O4 - HKCU\..\Run: [qzro] C:\Program Files\Common Files\qzro\qzrom.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

Thanks again for your help, and sorry it is such a mess.

Rob

#6
rem

Posted 22 January 2007 - 04:02 PM

Visiting Staff

Member
464 posts

Hi again Rob,
sorry it is such a mess.
Hey, no need to apologise, that's why I'm here. I've seen a lot worse. Combofix killed quite a lot there, good job.
Now let's try to get rid of the Vundo infection & tidy things up a bit.

We are experiencing a slight random glitch in the forum at the moment where sometimes a blank post is posted.
One way round this is to wrap the entire post in a 'quote' tag (like I have had to do with this one).
To find out if your post is going to be blank, click on the 'Preview Post' button. If your post previews OK, it will post OK.
If your post doesn't preview at all, it will post blank & you'll have to wrap your post in the 'quote' tags.
To use the quote tags highlight ALL of your post, then click the ninth icon from the left on the reply toolbar (It looks like a speech quote, & if you hold your mouse over it, a pop up box says "Wrap in a quote". Your post should then preview & post OK.
If you experience any problems please PM me & I'll gladly help. Sorry for the inconvenience.

Step 1
Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step 2
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O4 - HKCU\..\Run: [Uhun] "C:\PROGRA~1\COMMON~1\SSTEM3~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Ksckqsd] C:\Program Files\?icrosoft.NET\?ti2evxx.exe
O4 - HKCU\..\Run: [qzro] C:\Program Files\Common Files\qzro\qzrom.exe

Now close all windows other than HiJackThis, then click Fix Checked.
Close HijackThis
Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Outerinfo (I think Combofix may have nuked this already, but it may still be in the list & hopefully will not come back this time)

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present): Only delete the folders in RED, not the whole path.

C:\Program Files\Common Files\qzro

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present): Only delete the files in RED, not the whole path.

C:\WINDOWS\system32\wapisvtr.exe

After that, Reboot to normal windows.

Step 3
Next, please post:
1) Vundofix.txt from Step 1
2) A fresh HijackThis log.

Colin.

#7
robbiegee

Posted 23 January 2007 - 09:50 AM

Member

Topic Starter
Member
11 posts

Collin,

Thanks for your help. Ever since we have ran the combofix there has been no popups to speak of. So here are the other things that you asked for.

The Vundo showed nothing, and took along time to scan. Should this be of concern? Anyways here is the log.

VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 9:54:11 AM 1/23/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:59 AM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: (no name) - {ACFBA787-3E3C-6DCC-4D3A-3EC6294E6791} - C:\WINDOWS\system32\rxsdpomj.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ACFBA787-3E3C-6DCC-4D3A-3EC6294E6791} - C:\WINDOWS\system32\rxsdpomj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

Thanks again Collin. Your steps are very easy to follow, and your help has been very productive so far.

Rob

#8
rem

Posted 23 January 2007 - 03:32 PM

Visiting Staff

Member
464 posts

Hi Rob, we're getting there.
Ever since we have ran the combofix there has been no popups to speak of
Great stuff.

Don't worry, Vundofix has a lot of files to search for, so it will take a while.

Step 1
I wonder if you could do us a favour.
Please go here to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Browse for this filename: C:\WINDOWS\system32\rxsdpomj.dll
In the comments, please mention that I asked you to upload this file
Click on Send File
Step 2
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop. (Don't run it yet)

Step 3
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {ACFBA787-3E3C-6DCC-4D3A-3EC6294E6791} - C:\WINDOWS\system32\rxsdpomj.dll
O2 - BHO: (no name) - {ACFBA787-3E3C-6DCC-4D3A-3EC6294E6791} - C:\WINDOWS\system32\rxsdpomj.dll

Now close all windows other than HiJackThis, then click Fix Checked.
Close HijackThis
Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Step 4
Please double-click Killbox.exe on your desktop to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file path below to the clipboard by highlighting all of the red text and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\rxsdpomj.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually into normal mode..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Step 5
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 6
Right, let's do a scan to see if anything else is lurking around.
First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Step 7
In your next reply, please post:
1) The results of the AVG Anti-Spyware report scan.
2) A fresh HijackThis log.
3) Let me know how your computer is running now.

#9
robbiegee

Posted 25 January 2007 - 09:40 AM

Member

Topic Starter
Member
11 posts

Hey Colin,

I have done the first few steps in the last message. I sent the file, and downloaded Killbox. I have also deleted those files with HJT. My question is that Killbox will not let me paste from clipboard the file: C:\WINDOWS\system32\rxsdpomj.dll

Would it be ok if i wrote it down and typed into the box?

Thanks

Rob

#10
rem

Posted 25 January 2007 - 09:48 AM

Visiting Staff

Member
464 posts

Hi Rob
Yeah try that, just make sure you don't make any typing errors :whistling:

Or you right click in the box underneath Full Path of File to Delete & select paste.

Edited by rem, 25 January 2007 - 10:00 AM.

#11
robbiegee

Posted 25 January 2007 - 10:09 AM

Member

Topic Starter
Member
11 posts

Colin,

I typed it into the Killbox, and it said there was "already removed by external." So now I am finishing the rest of the steps, AVG Anti-Spyware is downloading now.

Thanks,
Rob

#12
rem

Posted 25 January 2007 - 10:29 AM

Visiting Staff

Member
464 posts

Hi Rob,
Thats fine :whistling:

#13
robbiegee

Posted 25 January 2007 - 11:06 AM

Member

Topic Starter
Member
11 posts

Ok

Finally I have completed all the steps.
I have sent the file.
I have deleted what you asked from HJT
I ran Killbox, but it said that file was already removed
I ran ATFcleaner
And finally ran the antispyware in safemode.

Here is the AVG report scan:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:51:54 AM 1/25/2007

+ Scan result:

C:\System Volume Information\_restore{71F7DB9C-F4D2-4577-9296-C599246922DC}\RP14\A0087095.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{71F7DB9C-F4D2-4577-9296-C599246922DC}\RP14\A0087140.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{71F7DB9C-F4D2-4577-9296-C599246922DC}\RP17\A0087218.dll -> Adware.TargetServer : Cleaned.
C:\System Volume Information\_restore{71F7DB9C-F4D2-4577-9296-C599246922DC}\RP17\A0087217.exe -> Downloader.TSUpdate.f : Cleaned.
C:\System Volume Information\_restore{71F7DB9C-F4D2-4577-9296-C599246922DC}\RP17\A0087216.exe -> Downloader.TSUpdate.l : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Fred\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq95.tmp -> TrackingCookie.Adserver : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp -> TrackingCookie.Adtech : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp -> TrackingCookie.Advertising : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq98.tmp -> TrackingCookie.Advertising : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> TrackingCookie.Adviva : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9E.tmp -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> TrackingCookie.Bfast : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq99.tmp -> TrackingCookie.Bfast : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> TrackingCookie.Bluestreak : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp -> TrackingCookie.Bridgetrack : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq58.tmp -> TrackingCookie.Burstnet : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> TrackingCookie.Casalemedia : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp -> TrackingCookie.Centrport : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E.tmp -> TrackingCookie.Com : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp -> TrackingCookie.Commission-junction : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp -> TrackingCookie.Coremetrics : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Fred\Cookies\fred@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq65.tmp -> TrackingCookie.Doubleclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9A.tmp -> TrackingCookie.Doubleclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> TrackingCookie.Enhance : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6D.tmp -> TrackingCookie.Falkag : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E.tmp -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq67.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq71.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq72.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq74.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9B.tmp -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75.tmp -> TrackingCookie.Hitslink : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78.tmp -> TrackingCookie.Linksynergy : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7B.tmp -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9F.tmp -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq88.tmp -> TrackingCookie.Onestat : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7D.tmp -> TrackingCookie.Paycounter : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7E.tmp -> TrackingCookie.Pointroll : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq80.tmp -> TrackingCookie.Questionmarket : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq82.tmp -> TrackingCookie.Revenue : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp -> TrackingCookie.Ru4 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> TrackingCookie.Serving-sys : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq84.tmp -> TrackingCookie.Serving-sys : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq85.tmp -> TrackingCookie.Sextracker : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq86.tmp -> TrackingCookie.Sextracker : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89.tmp -> TrackingCookie.Statcounter : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9C.tmp -> TrackingCookie.Statcounter : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8A.tmp -> TrackingCookie.Tacoda : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9D.tmp -> TrackingCookie.Tacoda : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8B.tmp -> TrackingCookie.Targetnet : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8C.tmp -> TrackingCookie.Tradedoubler : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8D.tmp -> TrackingCookie.Trafficmp : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13E.tmp -> TrackingCookie.Tribalfusion : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8F.tmp -> TrackingCookie.Tribalfusion : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq91.tmp -> TrackingCookie.Valueclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq92.tmp -> TrackingCookie.Valueclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq93.tmp -> TrackingCookie.Webtrendslive : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq97.tmp -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq96.tmp -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{71F7DB9C-F4D2-4577-9296-C599246922DC}\RP10\A0087062.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{71F7DB9C-F4D2-4577-9296-C599246922DC}\RP12\A0087085.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{71F7DB9C-F4D2-4577-9296-C599246922DC}\RP17\A0087215.exe -> Trojan.Small : Cleaned.

::Report end

And here is a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:03:00 PM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

So far the computer is still running great. No problems of pop-ups.
Thanks for everything this far.

Rob

#14
rem

Posted 25 January 2007 - 11:15 AM

Visiting Staff

Member
464 posts

Hi Rob,
First glance everything looks good.
When I get in from work tonight I'll go over it in detail to make sure nothing's lurking.
Talk to you later,
Colin.

#15
rem

Posted 25 January 2007 - 02:58 PM

Visiting Staff

Member
464 posts

Hi Rob, well done fella your log's clean.
So far the computer is still running great. No problems of pop-ups.
That's great, good job.

Now that you are clean from infection we need to reset system restore.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

And that's it, job done.

If there's nothing else I can help you with the following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
AVG Anti-Spyware - Uber powerful tool which can search and annhilate nasties that make it onto your system.

SuperAntiSpyware - Another very powerful tool which searches and kills nasties that infect your system.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

ATFCleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Happy computing !!