Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

PLease OuterInfo, just DIE

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

PLease OuterInfo, just DIE

Unread postby coldbleed101 » January 29th, 2008, 6:01 pm

OKAY, I am a web designer, that knows little about Java based scripts written by bottom feeders with nothing better to do than scam you out of money, and in my case TIME, which is money to me. I was watching some documentary online the other day, and all of a sudden, I was impelled with OUTERINFO!!!!!!! I have ran into these scumbuckets before. Anyway, here is my LogFile.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:45:18 PM, on 1/29/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Open\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4536F128-022B-4037-A819-287A7CD22E87} - C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\system32\urqponl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [c4fef7b7] rundll32.exe "C:\WINDOWS\system32\optlgcxk.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: urqponl - C:\WINDOWS\SYSTEM32\urqponl.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5997 bytes


Did I do that right? Feel free to email me direct, whatever it takes. Oh, and I have no problem donating to the cause, when I can get some money, which, will be when I can work on this machine, once I can GET RID of Outer-Colesore, I mean, Outerinfo.

Thank You.

-CB-
coldbleed101
Active Member
 
Posts: 2
Joined: January 29th, 2008, 5:52 pm
Advertisement
Register to Remove

Re: PLease OuterInfo, just DIE

Unread postby random/random » January 29th, 2008, 6:10 pm

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log as a reply to this topic.

You are using an older version of HijackThis. Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  1. Save HJTInstall.exe to your desktop.
  2. Double-click on HJTInstall.exe to run the program.
  3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  4. Accept the license agreement by clicking the "I Accept" button.
  5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  6. Click "Save log" to save the log file and then the log will open in Notepad.
  7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  8. Come back here to this thread and paste the log in your next reply.
  9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

You may delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.
User avatar
random/random
Developer
Developer
 
Posts: 7730
Joined: December 18th, 2005, 3:30 pm

Re: PLease OuterInfo, just DIE

Unread postby coldbleed101 » January 29th, 2008, 6:56 pm

Okay, done. ComboFix says this:

ComboFix 08-01-30.1 - Open 2008-01-29 14:23:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.57 [GMT -8:00]
Running from: C:\Documents and Settings\Open\Desktop\ComboFix.exe

[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.
/wow section - STAGE 29
/wow section not completed

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-29 14:15 . 2008-01-29 14:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 13:26 . 2008-01-29 13:40 <DIR> d-------- C:\Documents and Settings\Open\Application Data\FileZilla
2008-01-29 13:23 . 2008-01-29 13:23 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-01-29 05:49 . 2008-01-29 05:49 1,162,310 ---hs---- C:\WINDOWS\system32\eqvnemqc.ini
2008-01-29 05:49 . 2008-01-29 05:49 88,640 --a------ C:\WINDOWS\system32\cqmenvqe.dll
2008-01-28 10:02 . 2008-01-28 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 05:51 . 2008-01-30 14:32 1,162,817 ---hs---- C:\WINDOWS\system32\kxcgltpo.ini
2008-01-28 05:51 . 2008-01-28 05:51 88,640 --a------ C:\WINDOWS\system32\optlgcxk.dll
2008-01-28 05:48 . 2008-01-28 05:48 1,149,600 ---hs---- C:\WINDOWS\system32\dpnanelb.ini
2008-01-27 21:49 . 2008-01-27 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-01-27 18:24 . 2008-01-27 18:24 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-01-27 18:24 . 2008-01-27 18:38 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-01-27 18:22 . 2008-01-27 18:26 <DIR> d-------- C:\Program Files\Symantec
2008-01-27 18:22 . 2008-01-27 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-27 18:22 . 2008-01-27 18:26 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-27 18:22 . 2008-01-27 18:26 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-27 18:22 . 2008-01-27 18:26 10,652 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-27 18:22 . 2008-01-27 18:26 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-27 18:08 . 2008-01-27 19:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-27 17:58 . 2008-01-27 17:58 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2008-01-27 17:56 . 2008-01-27 17:56 38,400 --a------ C:\WINDOWS\system32\khfghif.dll
2008-01-27 17:54 . 2008-01-27 17:54 38,400 --a------ C:\WINDOWS\system32\gebbaay.dll
2008-01-27 17:52 . 2008-01-27 17:52 38,400 --a------ C:\WINDOWS\system32\hggffgh.dll
2008-01-27 17:39 . 2008-01-27 18:17 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-26 08:06 . 2008-01-26 08:06 0 --ahs---- C:\Documents and Settings\Open\Application Data\00479b5a81.dat
2008-01-26 07:28 . 2008-01-26 07:28 270,698 --a------ C:\WINDOWS\system32\LD771.tmp
2008-01-26 07:28 . 2008-01-26 07:28 181,965 --a------ C:\WINDOWS\system32\LB9C7.tmp
2008-01-25 22:33 . 2008-01-30 14:32 332,638 --ahs---- C:\WINDOWS\system32\nnnmp.ini
2008-01-25 22:33 . 2008-01-30 14:30 332,536 --ahs---- C:\WINDOWS\system32\nnnmp.ini2
2008-01-25 22:33 . 2008-01-25 22:33 321,024 --a------ C:\WINDOWS\system32\pmnnn.dll
2008-01-25 22:32 . 2008-01-27 17:39 <DIR> d-------- C:\Program Files\Temporary
2008-01-25 22:31 . 2008-01-25 22:31 38,400 --a------ C:\WINDOWS\system32\ddcbyvv.dll
2008-01-25 22:29 . 2008-01-27 21:37 <DIR> d-------- C:\Program Files\A?pPatch
2008-01-25 22:28 . 2008-01-27 20:38 <DIR> d-------- C:\WINDOWS\system32\wnis6
2008-01-25 22:28 . 2008-01-27 20:43 <DIR> d-------- C:\WINDOWS\system32\nip4
2008-01-25 22:28 . 2008-01-25 22:28 <DIR> d-------- C:\WINDOWS\system32\ets1
2008-01-25 22:28 . 2008-01-25 22:28 <DIR> d-------- C:\WINDOWS\system32\deb3
2008-01-25 22:28 . 2008-01-25 22:28 <DIR> d-------- C:\Temp\gTiis19
2008-01-25 22:28 . 2008-01-25 22:28 <DIR> d-------- C:\Temp\1cb
2008-01-25 22:28 . 2008-01-25 22:28 38,400 --a------ C:\WINDOWS\system32\vturpqo.dll
2008-01-25 22:26 . 2008-01-27 18:18 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-25 22:26 . 2008-01-25 22:26 <DIR> d-------- C:\Temp\cXzz9
2008-01-25 22:26 . 2008-01-25 22:28 <DIR> d-------- C:\Temp
2008-01-25 22:26 . 2008-01-25 22:26 38,400 --a------ C:\WINDOWS\system32\urqponl.dll
2008-01-18 20:17 . 2008-01-18 20:17 50 --a------ C:\WINDOWS\brmx2001.ini
2008-01-18 20:17 . 2008-01-18 20:17 40 --a------ C:\WINDOWS\opt_2460.ini
2008-01-18 17:42 . 2008-01-23 16:55 643 --a------ C:\WINDOWS\Brpcfx.ini
2008-01-18 17:42 . 2008-01-18 17:42 52 --a------ C:\WINDOWS\BRPP2KA.INI
2008-01-18 17:42 . 2008-01-23 16:55 50 --a------ C:\WINDOWS\system32\m8220def.dat
2008-01-18 17:42 . 2008-01-18 17:42 0 --a------ C:\WINDOWS\brwmark.ini
2008-01-18 17:41 . 2008-01-18 17:41 <DIR> d-------- C:\Program Files\Brother
2008-01-13 13:45 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-13 13:45 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-13 12:35 . 2008-01-13 12:35 <DIR> d-------- C:\Program Files\Common Files\Vbox
2008-01-12 19:35 . 2008-01-12 19:35 <DIR> d---s---- C:\Documents and Settings\Open\UserData
2008-01-12 08:40 . 2008-01-13 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-12 08:13 . 2008-01-13 13:30 <DIR> d-------- C:\Program Files\Macromedia
2008-01-12 08:13 . 2008-01-12 08:13 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-12 07:54 . 2008-01-12 07:54 <DIR> d-------- C:\Program Files\Bonjour
2008-01-11 23:03 . 2008-01-11 23:03 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-11 22:51 . 2008-01-13 12:00 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-11 20:04 . 2008-01-12 11:31 <DIR> d-------- C:\Program Files\Google
2008-01-11 17:05 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-11 17:05 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-11 16:58 . 2008-01-11 16:59 <DIR> d-------- C:\WINDOWS\system32\zh-cn
2008-01-11 16:58 . 2008-01-11 16:58 <DIR> d-------- C:\WINDOWS\system32\bg-bg
2008-01-11 16:58 . 2008-01-11 16:58 <DIR> d-------- C:\WINDOWS\system32\ar-sa
2008-01-11 15:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-11 15:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-11 15:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-11 15:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-11 15:26 . 2008-01-11 18:54 <DIR> d-------- C:\Documents and Settings\Open\Application Data\RegistrySmart
2008-01-11 14:40 . 2008-01-11 18:54 <DIR> d-------- C:\WINDOWS\$hf_mig$
2008-01-10 21:20 . 2008-01-11 18:54 <DIR> d-------- C:\Program Files\DAZ
2008-01-10 21:11 . 2008-01-10 21:11 <DIR> d-------- C:\Program Files\Common Files\DAZ
2008-01-10 20:41 . 2008-01-10 20:41 <DIR> d-------- C:\Documents and Settings\Open\save2
2008-01-10 12:41 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-10 12:41 . 2008-01-10 12:41 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-10 12:40 . 2008-01-10 12:40 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-10 12:38 . 2008-01-10 12:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-10 12:38 . 2008-01-10 12:38 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-10 03:03 . 2004-03-11 16:53 171,648 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-01-10 03:03 . 2004-03-11 16:14 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-01-10 03:03 . 2004-03-11 17:12 82,688 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-01-10 03:03 . 2004-03-11 17:11 60,672 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-01-10 03:03 . 2001-08-17 06:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-01-10 03:03 . 2004-03-11 16:52 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-01-10 03:03 . 2004-03-11 16:44 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-01-10 03:03 . 2004-03-11 16:53 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-01-10 03:03 . 2004-03-11 16:44 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2008-01-10 03:03 . 2004-03-11 16:53 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-01-10 03:02 . 2004-03-11 18:18 4,256,640 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-01-10 03:02 . 2004-03-11 16:14 1,893,728 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-01-10 03:02 . 2001-08-17 04:12 117,760 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-01-10 03:02 . 2004-03-11 16:46 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-01-10 03:02 . 2004-03-11 16:44 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2008-01-10 03:02 . 2001-08-17 05:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-01-10 03:01 . 2004-03-11 17:14 146,048 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-01-10 03:01 . 2004-03-11 18:19 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-01-10 03:01 . 2001-08-17 04:20 96,256 --a------ C:\WINDOWS\system32\drivers\ac97intc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 01:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 01:41 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-15 17:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 13:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-10 19:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-01-10 19:32 --------- d-----w C:\Program Files\GlobalSCAPE
2008-01-10 19:32 --------- d-----w C:\Documents and Settings\Open\Application Data\GlobalSCAPE
2008-01-10 19:24 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-10 19:24 --------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2008-01-10 19:16 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-10 19:14 --------- d-----w C:\Program Files\Windows Journal Viewer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-27 18:30 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}]
2008-01-25 22:26 38400 --a------ C:\WINDOWS\system32\urqponl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA4E4480-4066-43E8-B993-B81AE6E9FBA2}]
2008-01-25 22:33 321024 --a------ C:\WINDOWS\system32\pmnnn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 22:02 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-10 12:56 45056]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 21:07 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 20:53 714608]
"c4fef7b7"="C:\WINDOWS\system32\optlgcxk.dll" [2008-01-28 05:51 88640]
"combofix"="C:\ComboFix\kmd.exe" [2004-03-11 17:18 387584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}"= C:\WINDOWS\system32\urqponl.dll [2008-01-25 22:26 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqponl]
urqponl.dll 2008-01-25 22:26 38400 C:\WINDOWS\system32\urqponl.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\pmnnn.dll

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-24 21:07]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 16:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 16:27]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 04:05:51 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Open.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-01-29 11:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 14:32:34
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2096]
-> C:\WINDOWS\system32\pmnnn.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2096]
-> C:\WINDOWS\system32\pmnnn.dll
-> C:\WINDOWS\system32\urqponl.dll
-> C:\WINDOWS\system32\optlgcxk.dll
-> C:\WINDOWS\system32\etpdfkdq.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2008-01-30 14:37:34 - machine was rebooted [Open]
ComboFix-quarantined-files.txt 2008-01-30 22:37:24
[/b]
coldbleed101
Active Member
 
Posts: 2
Joined: January 29th, 2008, 5:52 pm

Re: PLease OuterInfo, just DIE

Unread postby random/random » January 30th, 2008, 3:04 pm

Right click here and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum as a reply to this topic

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    File::
    C:\WINDOWS\system32\eqvnemqc.ini
    C:\WINDOWS\system32\cqmenvqe.dll
    C:\WINDOWS\system32\kxcgltpo.ini
    C:\WINDOWS\system32\optlgcxk.dll
    C:\WINDOWS\system32\dpnanelb.ini
    C:\WINDOWS\system32\khfghif.dll
    C:\WINDOWS\system32\gebbaay.dll
    C:\WINDOWS\system32\hggffgh.dll
    C:\WINDOWS\system32\LD771.tmp
    C:\WINDOWS\system32\LB9C7.tmp
    C:\WINDOWS\system32\nnnmp.ini
    C:\WINDOWS\system32\nnnmp.ini2
    C:\WINDOWS\system32\pmnnn.dll
    C:\WINDOWS\system32\ddcbyvv.dll
    C:\WINDOWS\system32\vturpqo.dll
    C:\WINDOWS\system32\urqponl.dll
    Folder::
    C:\Program Files\Temporary
    C:\Temp
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA4E4480-4066-43E8-B993-B81AE6E9FBA2}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqponl]
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7730
Joined: December 18th, 2005, 3:30 pm

Re: PLease OuterInfo, just DIE

Unread postby 'KotaGuy » February 20th, 2008, 12:29 pm

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware