Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Removing Outerinfo Ads


  • Please log in to reply

#1
dancinqueen7841

dancinqueen7841

    New Member

  • Member
  • Pip
  • 4 posts
Hello,

Lately our computer keeps having these pop-ups of various kinds but all with the same window title of "advertisements by outerinfo." Even more so lately, the symantec window will pop up and shut down all internet windows that happen to be open at the time. I found your website (http://www.geekstogo...IN-t134763.html) and have been carefully following all the instructions.

Here is my log from the Combofix log:

ComboFix 07-08-30.3 - "Travis" 2007-09-02 1:43:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.73 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Travis\APPLIC~1\ppatch~1
C:\DOCUME~1\Travis\MYDOCU~1\ystem~1
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ppatch~1
C:\WINDOWS\DOWNLO~1.\Temp
C:\WINDOWS\mantec~1


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\msdirectx


((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 )))))))))))))))))))))))))))))))


2007-09-02 01:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 19:39 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Xfire
2007-08-16 12:21 <DIR> d-------- C:\Program Files\Netflix
2007-08-06 18:08 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Xfire


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-02 01:55 --------- d-------- C:\DOCUME~1\Travis\APPLIC~1\Xfire
2007-09-02 01:53 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-09-01 14:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-31 00:24 --------- d-------- C:\Program Files\Xfire
2007-08-29 11:35 --------- d-------- C:\Program Files\Picasa2
2007-08-10 01:03 --------- d-------- C:\DOCUME~1\Travis\APPLIC~1\ContentGuard
2007-07-12 00:24 --------- d-------- C:\Program Files\Zinio
2007-07-12 00:23 --------- d-------- C:\Program Files\Common Files\Zinio


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"CPQHotkeys"="hotkeysvc.exe" []
"CTHelper"="cthelper.exe" []
"Windows System Configuration"="C:\WINDOWS\WINFRW.EXE" []
"Windows Security Updater"="C:\WINDOWS\WINFRW.EXE" []
"JeH8c"="C:\WINDOWS\fewtyoth.exe" []
"# "="C:\WINDOWS\fewtyoth.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 08:04]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 21:05]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 03:07]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-09 18:26]
"SNDO763"="C:\WINDOWS\vsndo763.exe" [2005-01-18 17:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="\Program\BackWeb-8876480.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-08-06 16:33]
"Aim6"="" []
"Zinio DLM"="C:\Program Files\Zinio\ZinioReader.exe" [2007-05-04 16:52]
"Cbin"="C:\WINDOWS\??mantec\??erinit.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQHotkeys"=hotkeysvc.exe
"CTHelper"=cthelper.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\DOCUME~1\Travis\STARTM~1\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-08-23 19:41:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2004-01-12 07:55 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=KATRACK.DLL C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\]
"Script"=domain_browser.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

R2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS
R3 EraserUtilDrv10733;EraserUtilDrv10733;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
R3 w70n51;Intel® PRO/Wireless 7100 Adapter Driver ;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S3 EraserUtilDrv10614;EraserUtilDrv10614;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10614.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 SNDO763;Dual Mode Camera (800A VGA);C:\WINDOWS\system32\DRIVERS\sndo763.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41E21C50-CD67-11D4-9599-00B0D03D4FFF}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\o2kiefrm.inf,PUserInstall,,36

Contents of the 'Scheduled Tasks' folder
2007-08-27 20:26:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-02 01:54:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"# "="C:\\WINDOWS\\fewtyoth.exe"

Completion time: 2007-09-02 1:57:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-02 01:57

--- E O F ---



The AVG Anti-Spyware scan is still scanning and i haven't got my HiJackThis log yet. I am going to leave the computer scanning overnight and post those two reports tomorrow.

Thanks,
Wendy
  • 0

Advertisements


#2
dancinqueen7841

dancinqueen7841

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here is the AVG report. It popped up something about a Trojan Winuck...

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:03:47 AM 9/2/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.64:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][2].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][3].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.70:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.71:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.74:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.75:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.76:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.21:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\desktopsupportb\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.137:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.10:C:\Documents and Settings\Travis\Application Data\Mozilla\Profiles\default\6p33qkw0.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.10:C:\Documents and Settings\ambroset\Application Data\Mozilla\Profiles\default\6p33qkw0.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.10:C:\Documents and Settings\default user\Application Data\Mozilla\Profiles\default\6p33qkw0.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.10:C:\Documents and Settings\desktopsupport11\Application Data\Mozilla\Profiles\default\6p33qkw0.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.10:C:\Documents and Settings\desktopsupport3\Application Data\Mozilla\Profiles\default\6p33qkw0.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.10:C:\Documents and Settings\desktopsupportb\Application Data\Mozilla\Profiles\default\6p33qkw0.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.10:C:\Documents and Settings\installers\Application Data\Mozilla\Profiles\default\6p33qkw0.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.24:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.129:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.111:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.112:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.116:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.108:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.107:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Paypopup : Cleaned.
:mozilla.117:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.118:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.119:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.130:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.131:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned.
:mozilla.81:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.82:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned.
:mozilla.122:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.123:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.124:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.125:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.126:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.127:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.103:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.104:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.105:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.106:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.72:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.73:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.77:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.78:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.79:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.80:C:\Documents and Settings\Travis\Application Data\Mozilla\Firefox\Profiles\v9ouqe6v.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\ambroset\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Travis\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\KB920685.log -> Trojan.Winuck : Cleaned with backup (quarantined).


::Report end
  • 0

#3
dancinqueen7841

dancinqueen7841

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
and here is the HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:05:16 AM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\vsndo763.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.berea.edu/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.berea.edu:8080
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.berea.edu"); (C:\Documents and Settings\Travis\Application Data\Mozilla\Profiles\default\6p33qkw0.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Travis\Application Data\Mozilla\Profiles\default\6p33qkw0.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: SciFinder Scholar Bar - {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\WINFRW.EXE
O4 - HKLM\..\Run: [Windows Security Updater] C:\WINDOWS\WINFRW.EXE
O4 - HKLM\..\Run: [JeH8c] C:\WINDOWS\fewtyoth.exe
O4 - HKLM\..\Run: [# ] C:\WINDOWS\fewtyoth.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SNDO763] C:\WINDOWS\vsndo763.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - HKCU\..\Run: [Cbin] C:\WINDOWS\??mantec\??erinit.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: KeyAccess.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdp32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146793968898
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv1.view22....p/view22rte.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = berea.edu
O17 - HKLM\Software\..\Telephony: DomainName = berea.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = berea.edu
O20 - AppInit_DLLs: KATRACK.DLL C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome aboard :whistling:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I cannot guarantee it will be 100% secure afterwards.

-------

However, if you do want to clean this up,

Open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\WINFRW.EXE
C:\WINDOWS\fewtyoth.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows System Configuration"=-
"Windows Security Updater"=-"
"JeH8c"=-
"# "=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cbin"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQHotkeys"=-


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

----

Also surf here and upload the following file:

C:\WINDOWS\INF\o2kiefrm.inf

Wait for the scanners to finish and post back with the results along with the ComboFix log. :blink:
  • 0

#5
dancinqueen7841

dancinqueen7841

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the help!

Here is the combo fix report:

ComboFix 07-08-30.3 - "Travis" 2007-09-04 8:18:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.48 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Travis\Desktop\CFScript.txt

FILE::
C:\WINDOWS\WINFRW.EXE
C:\WINDOWS\fewtyoth.exe


((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))


2007-09-04 08:09 <DIR> d-------- C:\DOCUME~1\Travis\APPLIC~1\Yahoo! Messenger
2007-09-02 02:07 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-02 01:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 19:39 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Xfire
2007-08-16 12:21 <DIR> d-------- C:\Program Files\Netflix
2007-08-06 18:08 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Xfire


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-04 08:25 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-04 08:11 --------- d-------- C:\DOCUME~1\Travis\APPLIC~1\Xfire
2007-09-04 08:07 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-08-31 00:24 --------- d-------- C:\Program Files\Xfire
2007-08-29 11:35 --------- d-------- C:\Program Files\Picasa2
2007-08-10 01:03 --------- d-------- C:\DOCUME~1\Travis\APPLIC~1\ContentGuard
2007-07-12 00:24 --------- d-------- C:\Program Files\Zinio
2007-07-12 00:23 --------- d-------- C:\Program Files\Common Files\Zinio


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"CPQHotkeys"="hotkeysvc.exe" []
"CTHelper"="cthelper.exe" []
"Windows Security Updater"="C:\WINDOWS\WINFRW.EXE" []
"# "="C:\WINDOWS\fewtyoth.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 08:04]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 21:05]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-03-16 03:07]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-09 18:26]
"SNDO763"="C:\WINDOWS\vsndo763.exe" [2005-01-18 17:10]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="\Program\BackWeb-8876480.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CTHelper"=cthelper.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\DOCUME~1\Travis\STARTM~1\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-08-23 19:41:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2004-01-12 07:55 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=KATRACK.DLL C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\]
"Script"=domain_browser.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

R2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
R3 w70n51;Intel® PRO/Wireless 7100 Adapter Driver ;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S3 EraserUtilDrv10614;EraserUtilDrv10614;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10614.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 SNDO763;Dual Mode Camera (800A VGA);C:\WINDOWS\system32\DRIVERS\sndo763.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41E21C50-CD67-11D4-9599-00B0D03D4FFF}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\o2kiefrm.inf,PUserInstall,,36

Contents of the 'Scheduled Tasks' folder
2007-09-03 20:26:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 08:25:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"# "="C:\\WINDOWS\\fewtyoth.exe"

Completion time: 2007-09-04 8:29:02
C:\ComboFix-quarantined-files.txt ... 2007-09-04 08:29
C:\ComboFix2.txt ... 2007-09-02 01:57

--- E O F ---



And here is the virus scan report:





File o2kiefrm.inf received on 09.04.2007 14:23:42 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/31 (0%)


Antivirus Version Last Update Result
AhnLab-V3 2007.9.4.1 2007.09.04 -
AntiVir 7.4.1.66 2007.09.04 -
Authentium 4.93.8 2007.09.04 -
Avast 4.7.1029.0 2007.09.04 -
AVG 7.5.0.485 2007.09.04 -
BitDefender 7.2 2007.09.04 -
CAT-QuickHeal 9.00 2007.09.03 -
ClamAV 0.91.2 2007.09.04 -
DrWeb 4.33 2007.09.04 -
eSafe 7.0.15.0 2007.09.03 -
eTrust-Vet 31.1.5107 2007.09.04 -
Ewido 4.0 2007.09.04 -
FileAdvisor 1 2007.09.04 -
Fortinet 3.11.0.0 2007.09.04 -
F-Prot 4.3.2.48 2007.09.04 -
F-Secure 6.70.13030.0 2007.09.04 -
Ikarus T3.1.1.12 2007.09.04 -
Kaspersky 4.0.2.24 2007.09.04 -
McAfee 5111 2007.09.03 -
Microsoft 1.2803 2007.09.04 -
NOD32v2 2502 2007.09.04 -
Norman 5.80.02 2007.09.04 -
Panda 9.0.0.4 2007.09.04 -
Rising 19.39.12.00 2007.09.04 -
Sophos 4.21.0 2007.09.04 -
Sunbelt 2.2.907.0 2007.08.31 -
Symantec 10 2007.09.04 -
TheHacker 6.1.9.177 2007.09.04 -
VBA32 3.12.2.3 2007.09.03 -
VirusBuster 4.3.26:9 2007.09.03 -
Webwasher-Gateway 6.0.1 2007.09.04 -
Additional information
File size: 1388 bytes
MD5: f9d548b73c70b897274de8faeeacd124
SHA1: 801452923b4ae448b6fb316728cdaf82b4a00e3d



Thanks again for your help!
  • 0

#6
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Have you added a group policy for startup yourself?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\]
"Script"=domain_browser.bat

-------

Open notepad again and copy/paste the text in the quotebox into it

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQHotkeys"=
"CTHelper"=
"Windows Security Updater"=-
"# "=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CTHelper"=-


Save it as CFScript.txt on your desktop. (remove the earlier one)

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

No need to post the resulting log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

--------

Go ahead and delete ComboFix.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. :whistling:

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP