Computer Hope

Software => Computer viruses and spyware => Topic started by: green tea on April 20, 2008, 02:01:58 AM

Title: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 20, 2008, 02:01:58 AM
I really thought I was done with Malware for a good while, but it's back :'(

Evilfantasy, I tried following the Steps in the guideline but met some problems. I tried to uninstall my old Norton Antivirus 2003 program but it won't let me do it in safe mode. And sadly, I'm having trouble rebooting into normal mode tonight.

I was able to uninstall Internet Speed monitor through the Add/Remove part, and then I did use CCleaner. SAS and MBAM ran just fine, and the logs are attached below.

Couldn't uninstall Java 6 (update 3) in safe mode... (could I install the new version after we get rid of the bugs)??

I also tried running Hijackthis in safe mode but it keeps crashing. Don't know what to do about that...


[recovering space - attachment deleted by admin]
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on April 20, 2008, 02:22:39 AM
Yes we will worry about updating Java and uninstalling old Norton until you get into normal mode.

Did you restart and then try running Hijackthis?

Go to My Computer->Tools->Folder Options->View tab:
Now see if you can find this folder and file and delete it. (if there)

C:\Program Files\Bat\Bat.exe

----------

See if you can get SDFix to run.

Download SDFix.exe (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

.

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 20, 2008, 11:20:42 AM
No, haven't done HJT yet.

I did a search for C:\Program Files\Bat\Bat.exe but didn't find anything. MBAM log shows that it was quarantined and deleted successfully. Could it still be hiding in one of the folders?

Ran SDFix, and was prompted to reboot. The computer was restarting but this blue screen shows up for a milisecond, and then the computer reboots again. After this, the advance screen would show up and this is how I get into safe mode.

I'm currently in safemode with networking since I was thinking I could post the log after everything's done. But the "FIXTOOL" didn't run again, and all the desktop icons automatically loaded.

Should I run SDFIX again? The report.txt in the SDFix folder just shows it was done with the "Checking process"
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 20, 2008, 11:23:20 AM
Edit: I just tried running HJT, and it worked.
 
Here is the log for today

[recovering space - attachment deleted by admin]
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: Broni on April 20, 2008, 11:34:56 AM
green tea...
You're running two threads, this one, and: http://www.computerhope.com/forum/index.php/topic,55467.msg347538.html#msg347538
Is it about same computer?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 20, 2008, 11:40:58 AM
Hi Broni, it's the same computer/problem. But Evilfantasy closed that thread since it got off topic and told me to start a new one.

This is the main thread now. Please delete the other one if needed. Thanks
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: Broni on April 20, 2008, 11:42:38 AM
No problem, I just wanted to clarify :)
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on April 20, 2008, 11:48:54 AM
Go to Start > Run and copy then past sc stop MsSecurity1.209.4 then click OK

Now again go to Start > Run and copy and paste sc delete MsSecurity1.209.4 then click OK

----------

Open Hijackthis and select Do a system scan only then place a check mark next to (if there)

- O4 - HKLM\..\Run: [ynupuhwb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll"
- O4 - HKLM\..\Run: [1cbf3279] rundll32.exe "C:\WINDOWS\system32\tedpyuln.dll",b
- O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe" -vt yazb
- O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)

Now click Fix checked

----------

Download OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe)Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

----------

Post the OTMoveIt log and run a new Hijackthis scan and post that log.

If you are still stuck in safe mode then try to run SDFix again and get a log from that.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 20, 2008, 12:58:06 PM
Ok, did ran the "sc delete MsSecurity1.209.4"

Ran HJT and selected the first 3 line items (HKLM and HKCU). But didn't see O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)

Ran OTMoveIt but it keeps freezing whenever it's looking for the last file "ynupuhwb.dll" Under the Green result bar, it also shows some of the files as not found.

So as of now, I can't create a log for OTMoveIt. Here's the current HJT log if you need to see it.

[recovering space - attachment deleted by admin]
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on April 20, 2008, 01:02:44 PM
You will need to go in and manually delete these files (in bold)

they may not all be there.

C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe
C:\WINDOWS\system32\tedpyuln.dll
C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll

Have you tried SDFix again?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 20, 2008, 03:25:43 PM
Found and deleted
C:\PROGRA~1\COMMON~1\ASKS~1\arpa.exe
C:\Documents and Settings\All Users\Application Data\ynupuhwb.dll

Didn't find C:\WINDOWS\system32\tedpyuln.dll

Haven't ran SDFix since the first time, but I'll try it again now
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 20, 2008, 03:52:54 PM
Just rebooted after running SDFix but same situation as before. The desktop icons automatically loaded and no SDFix screen or Fixtools popped up after the reboot.

Also, everytime I reboot, the screen would turn blue after the Windows loading screen, and then the computer would restart at that point. I'm wondering if this is because I was pressing F3 a couple times earlier when it was rebooting...I was hitting F8 to get to safe mode, but accidentally hit F3 as well.

Does that affect the reboot?!! :-\
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 20, 2008, 04:43:11 PM
Try not hitting anything.

Have just left everything alone to see if it boots into normal mode?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 20, 2008, 05:01:00 PM
It hasn't rebooted into normal mode at all since last night. Last time I was in regular mode, I ran SAS and then was prompted to reboot. I've been in safe mode eversince.
....................................... ............
And actually, I don't have to hit anything anyway. I've been going to safe mode since it doesn't reboot properly the first time and shuts down after the Windows loading screen, then reboots by itself. Because of that error, the advance screen shows up and then I select Safe Mode with Networking.

Hitting the F8 button doesn't help me either.. I tried doing that after the first beep sound, but it loads to the window screen.

So to sum up, I really have no way of knowing how it'll reboot or have control over that either...
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 20, 2008, 05:56:15 PM
Go to C:\Program Files\SUPERAntiSpyware

Double click Bootsafe.exe and make sure Normal Restart is selected then click Reboot. See if it goes into normal mode
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 20, 2008, 08:41:42 PM
No, didn't work. That blue screen showed up again and the 2nd reboot went to safe mode again.

Have we gotten rid the adwares, etc?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 21, 2008, 09:56:26 AM
No I don't think the malware is gone yet.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)Important! Combofix.exe MUST be saved to and ran from the Desktop.Warning: Do not mouseclick combofix's window while it is running. That may cause it to stallIf needed, see this  Combofix tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) with screenshots that will detail the downloading and running of combofix more thoroughly. Still be sure to rename combofix as detailed above.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 22, 2008, 12:06:22 AM
Sweet!! Combofix ran perfectly this time (passed through all 41 stages, and then rebooted itself). And the best part.. it booted to normal mode without any errors ;D I have to say, after having to stay in safe mode for over a day, the tiny text and icons is a welcome sight.

And after it produced the log, the time changed back to normal unlike the first time, and the internet works.

Combofix log attached:

[recovering space - attachment deleted by admin]
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on April 22, 2008, 09:03:30 AM
Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]
KILLALL::

Folder::
C:\Documents and Settings\All Users\Application Data\turczcvk
C:\WINDOWS\mgwwgmke

File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\amhE.exe
C:\WINDOWS\system32\nluypdet.ini
C:\WINDOWS\system32\iasnvwsp.ini
C:\WINDOWS\BM1f8c01e5.xml
C:\WINDOWS\obqfqdgd.dll
C:\WINDOWS\enunwtiv.dll
C:\WINDOWS\system32\L5B7C.tmp
C:\WINDOWS\system32\L4E1E.tmp
C:\WINDOWS\system32\L4729.tmp
C:\WINDOWS\system32\L45B2.tmp
C:\WINDOWS\muotr.so
C:\WINDOWS\megavid.cdt

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Now run a new Hijackthis scan and post that log also.

Next post
Combofix log
New Hijackthis log
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 22, 2008, 07:43:24 PM
Alrighty,

here are the new logs

[recovering space - attachment deleted by admin]
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 22, 2008, 08:22:22 PM
The logs look good now, how is everything?

Download and install CleanUp!.exe (http://stevengould.org/downloads/cleanup/CleanUp452.exe)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!
If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility


Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 22, 2008, 08:58:26 PM
That's good news.. everything seems to be back to normal.

How do I know it's a 64 bit OS? Where can I check?

And does this affect the prefetch (remember how last time, I was using ATF cleaner way too much, and it affected the load time for yahoo.com.)?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 22, 2008, 09:08:55 PM
Pretty sure you don't have a 64bit so it is safe to run.

I remember the prefetch problem. Just running Cleanup once won't hurt anything.

Final steps.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.
.
(http://i154.photobucket.com/albums/s258/evilfantasy69/combofixu-1.jpg)
.
The above procedure will:.
Download OTMoveIt2 by OldTimer  OTMoveIt2.exe (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
.
Use the  Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
.
Here are some great tools to help you keep from getting infected again.

To prevent unknown applications from being installed on your computer install WinPatrol 2007 (http://"http://www.winpatrol.com/winpatrol.html")
.

Let me know how everything went.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 22, 2008, 09:18:04 PM
Ok, so I should still use Cleanup before going to the Final Steps, correct?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 22, 2008, 09:20:03 PM
Yep, it will remove any of the malicious files that are in temp. folders.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 22, 2008, 10:04:37 PM
Ok, did everything including Secunia.

I need to update my Adobe programs, Quicktime, Itunes, Java, Adobeflash, etc.
......

Now back to the basics in the Sticky thread.. which of these 3 is the most effective/user-friendly? I'm worried about running into problems after installing these..

Avast! Home Edition
AVG Free Edition
AntiVir Personal

Should I uninstall Norton 2003 first? or d/l this and then uninstall?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: mcxeb52! on April 22, 2008, 11:22:59 PM
Avast and AVG are fine but AntiVir has this short term expiration thing which makes me think it's actually a trial....

But for Avast and AVG, it just depends on whichever program's interface and controls you like better. But in terms of updating and effective, they both update every day at minimum and both are always sending out program updates as it comes.

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 26, 2008, 01:44:00 PM
FRICKING A... Bad News
I was watching a movie this morning, and then my computer got hit with a bunch of malware again.. Winpatrol's Scotty was detecting a bunch of stuff and I kept clicking "NO" when it asked if I wanted to these programs to the startup setting. Then I check my start menu and Outerinfo and Internet Speed Monitor reinstalled themselves on my pc, along with a bunch of other stuff.

I did CCleaner, and then did the Add/Remove to get rid of Outerinfo, ISM, a lot of other things which I can't recall right now. But there's still one called "Command" in the program list. It doesn't have any info to it, no file size or date.

I just ran SuperAntispyware in Safe mode, and rebooted. But now when I try to retrieve the log by doubleclicking on it, the "OPEN WITH" window pops up and ask me which program I want to select to open SAS with ???

Evilfantasy, please help again...

.........

Uh oh, I tried double clicking other programs (CCleaner, Notepad, etc) and it all leads to the "Open With" window appearing again. What happened??
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 26, 2008, 02:09:11 PM
Crap, just tried to check the Add/Remove list to see if anything else is there BUT I can't open it.

It says C:\WINDOWS\system32\rundll32.exe
Application not found

Everything was still operational when I was doing the SAS scan.. and it that found 69 infected items. I had it quarantined and remove, and then was prompted to reboot.  :'(

....

Also, when this first happened at 10 this morning, I tried to revert to the system restore I created earlier this week. But it only showed today's system restore point (4/26/08 - 10:00 am).. so would it help if I can get back to the System Restore point on 4/22 or 4/23 even though it's not showing up? Or did the malware override the point I created?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 26, 2008, 05:19:43 PM
Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage.
In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 26, 2008, 05:36:37 PM
I have no clue where my XP cd is at this time. It's been a good couple of years since I've seen it.

And my cd drive/dvd drive have not been working for a while as well. Only way I can get stuff into my pc is d/l through the internet or via usb.

I know doing system restore is dangerous since all the virus would still be there, but would it bring this application back?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 26, 2008, 10:45:26 PM
Only found the 4-disc Recovery CD that came with my machine. I think XP was already pre-installed on the computer when we got it.

Is there another way I can get the correct version? Would it be possible for you to post a d/l link for it and then I d/l and add it to the System folders?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on April 27, 2008, 10:57:46 AM
Quote
Is there another way I can get the correct version? Would it be possible for you to post a d/l link for it and then I d/l and add it to the System folders?

That's illegal.

Try to find the install disk, or use the recovery CD's and reinstall. Stop downloading torrents. I can't do much good if you are just going to keep making the same mistakes over and over.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 27, 2008, 01:54:08 PM
I honestly didn't think torrents could be dangerous if I got them from reliable sites. I've been using them for many years and it's only this year that the problems happened. I know, it's really stupid..

Would you still be able to help one more time (Hopefully)?? Can I use the recovery cd and replace that one system file, or does using the Recovery cd mean everything I have gets wiped out?
..

I went into the system32 folder to see if the Rundll32.exe was in there.. it is but the icon is a blank sheet of paper. The other exe all look like windows.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 29, 2008, 01:13:33 AM
Update:

Still not having any luck when I double click a program.. the "Open with" window still pops up. But I decided to test it, and did "Browse" and was able to open up the programs by going to Program file folder, and double clicking on the "exe" files from there.

I could open up SAS again, but cannot access the logs. I was able to run MBAM though, and here is the log. I can only paste it, because when I try to do Save As, Notepad crashes.


...................

Malwarebytes' Anti-Malware 1.11
Database version: 660

Scan type: Full Scan (C:\|)
Objects scanned: 112995
Time elapsed: 50 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 21
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 54

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jkkKcDvt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRJCUon.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0bd6303c-42be-4a7c-8eaf-1cb19d7eeff4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0bd6303c-42be-4a7c-8eaf-1cb19d7eeff4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a69f6966-e4f3-4290-8301-cc9342894fe5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrjcuon (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebProxy (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1f8c01e5 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkkcdvt -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkkcdvt  -> Delete on reboot.

Folders Infected:
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\b1 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ccvdxtdx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xdtxdvcc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkKcDvt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tvDcKkkj.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tvDcKkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuxslnhr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rhnlsxuw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sockots64.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\CPV\CPV8.dll (Adware.Bestrevenue) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore\JavaCore.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000070.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000071.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000073.dll (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000078.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000079.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000095.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000096.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000099.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000100.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001182.exe (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001184.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001185.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001186.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001187.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001190.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\b116.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b138.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b152.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\WINDOWS\b155.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\b157.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lcntmkdn.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwwnw64d.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vptyufqy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\nvxbarr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\n3\predircom3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wTMP\idevdpll.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore\UnInstall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrixtvyx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000070.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1000106.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRJCUon.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\b156.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 29, 2008, 01:21:28 AM
OMG OMG!!
After running MBAM and rebooting, I can now double click on any application and it will load. No "open with" window as of now! I can also access the Add/Remove program section again.

Evilfantasy, hope you're still on board with helping me again (and everyone else too). Should I continue with HJT?
..........

Here is the SAS log. This was done on 4/26 but due to the rundll32.exe problem, I couldn't access it until now.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2008 at 12:32 PM

Application Version : 3.9.1008

Core Rules Database Version : 3376
Trace Rules Database Version: 1370

Scan type       : Complete Scan
Total Scan Time : 01:46:06

Memory items scanned      : 199
Memory threats detected   : 2
Registry items scanned    : 6117
Registry threats detected : 50
File items scanned        : 88434
File threats detected     : 20

Adware.Vundo Variant/Resident
   C:\WINDOWS\SYSTEM32\JKKKCDVT.DLL
   C:\WINDOWS\SYSTEM32\JKKKCDVT.DLL

Worm.Rbot-LD
   C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   HKLM\System\ControlSet005\Services\Schedule
   HKLM\System\ControlSet006\Services\Schedule
   HKLM\System\CurrentControlSet\Services\Schedule
   C:\WINDOWS\Prefetch\SPOOLS.EXE-1394AE12.pf

Adware.Vundo-Variant
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2797E8D2-3473-4A53-946C-C090C02A72CA}
   HKCR\CLSID\{2797E8D2-3473-4A53-946C-C090C02A72CA}
   HKCR\CLSID\{2797E8D2-3473-4A53-946C-C090C02A72CA}\InprocServer32
   HKCR\CLSID\{2797E8D2-3473-4A53-946C-C090C02A72CA}\InprocServer32#ThreadingModel

Unclassified.Unknown Origin
   HKLM\System\ControlSet005\Services\cmdService
   C:\WINDOWS\VXNLCG\COMMAND.EXE
   HKLM\System\ControlSet006\Services\cmdService
   HKLM\System\CurrentControlSet\Services\cmdService
   C:\WINDOWS\Prefetch\COMMAND.EXE-14E8AF63.pf

Adware.WebHancer
   HKLM\Software\WebHancer
   HKLM\Software\WebHancer#BaseDir
   HKLM\Software\WebHancer\CC
   HKLM\Software\WebHancer\CC#DistTag
   HKLM\Software\WebHancer\CC#id

Adware.ClickSpring
   HKLM\Software\ClickSpring
   HKLM\Software\ClickSpring#UBWKR

Trojan.cmdService
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#Contact
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayVersion
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoModify
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRemove
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRepair
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#UninstallString
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Trojan.ZenoSearch
   C:\WINDOWS\system32\msnav32.ax

Adware.Adservs
   C:\WINDOWS\system32\atmtd.dll
   C:\WINDOWS\system32\atmtd.dll._
   C:\WINDOWS\SYSTEM32\B1\CBWA3UI.EXE
   C:\WINDOWS\VXNLCG\ASAPPSRV.DLL
   C:\WINDOWS\Prefetch\CBWA3UI.EXE-14E989A8.pf

Trojan.NetMon/DNSChange
   C:\Program Files\Network Monitor\netmon.exe
   C:\Program Files\Network Monitor
   C:\WINDOWS\Prefetch\NETMON.EXE-09C9CC43.pf

Adware.Tracking Cookie
   C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt

Trojan.Downloader-Gen/Win
   C:\WINDOWS\MROFINU72.EXE

Adware.ClickSpring/Yazzle
   C:\WINDOWS\PREFETCH\YAZZLE1552OINADMIN.EXE-01D813FF.PF

Adware.Vundo-Variant/Small-A
   C:\WINDOWS\SYSTEM32\CYNFGQWG.DLL

Trojan.Unknown Origin
   C:\WINDOWS\UNINSTALL_NMON.VBS
   C:\WINDOWS\VXNLCG\PRH5W0.VBS
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 29, 2008, 01:31:38 AM
Here's the HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:29 AM, on 2008-04-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [1cbf3279] rundll32.exe "C:\WINDOWS\system32\ccvdxtdx.dll",b
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vcsron] C:\Program Files\Vcsron\Vcsron.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199778064781
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 29, 2008, 08:22:07 AM
Download SDFix.exe (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 29, 2008, 08:08:37 PM
Same situation with SDfix as before. It ran completely and then prompted me to reboot. However, after rebooting in safe mode and logging in, the desktop icons loaded automatically. No Fixtools or anything from SDfix popped up.

Here's what my report.txt says
...

SDFix: Version 1.177
Run by User on 2008-04-29 at 06:19 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MRV47

Path :
\??\C:\WINDOWS\System32\drivers\Mrv47.sys

MRV47 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 29, 2008, 09:24:23 PM
Just noticed these in the Add/Remove list:

vcsron
csvnro
svconr

I first saw "vcsron", deleted that. But after I went back to check the list, "csvnro" appeared in it's place. Deleted that, and then the next one appeared. I hope more doesn't show up.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 12:42:19 PM
We need to try combofix.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)Important! Combofix.exe MUST be saved to and ran from the Desktop.Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 07:28:40 PM
Just got home, and finished my Combofix. It didn't reboot to normal mode like the first time though. It was rebooting and then after the Window XP load screen, the monitor just said no signal, and then the pc shut down. Then it rebooted, and I went to Safemode with networking.

ComboFix 08-04-29.5 - User 2008-04-30 18:14:31.8 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.260 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\ASKS~1
C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cxhfywlk.dll
C:\WINDOWS\system32\ewdlftut.dll
C:\WINDOWS\system32\gwqgfnyc.ini
C:\WINDOWS\system32\hiqvdcgt.dll
C:\WINDOWS\system32\hpyqchfc.dll
C:\WINDOWS\system32\jkkKcDvt.dll
C:\WINDOWS\system32\kjbblsww.dll
C:\WINDOWS\system32\lelptvxx.dll
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\oyxyaglt.dll
C:\WINDOWS\system32\rqRJCUon.dll
C:\WINDOWS\system32\tutfldwe.ini
C:\WINDOWS\system32\tvDcKkkj.ini
C:\WINDOWS\system32\tvDcKkkj.ini2
C:\WINDOWS\system32\wgpaftim.dll
C:\WINDOWS\system32\wnbqxspc.dll
C:\WINDOWS\system32\wnvgthhx.dll
C:\WINDOWS\system32\wwslbbjk.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


(((((((((((((((((((((((((   Files Created from 2008-04-01 to 2008-05-01  )))))))))))))))))))))))))))))))
.

2008-04-29 21:17 . 2008-04-29 21:17   <DIR>   d--------   C:\Program Files\Vcsron
2008-04-29 18:12 . 2008-04-30 18:16   <DIR>   d--------   C:\SDFix
2008-04-26 10:26 . 2002-08-29 05:00   4,224   --a------   C:\WINDOWS\system32\beep.sys
2008-04-26 10:26 . 2008-04-26 10:35   578   --a------   C:\WINDOWS\index.html
2008-04-26 10:06 . 2008-04-30 10:10   109,738   --a------   C:\WINDOWS\BM1f8c01e5.xml
2008-04-26 10:00 . 2008-04-26 10:00   861   --a------   C:\WINDOWS\system32\winpfz33.sys
2008-04-26 09:59 . 2008-04-26 12:33   <DIR>   d--hs----   C:\WINDOWS\VXNlcg
2008-04-26 09:59 . 2008-04-29 00:06   <DIR>   d--------   C:\WINDOWS\system32\wTMP
2008-04-26 09:59 . 2008-04-26 09:59   <DIR>   d--------   C:\WINDOWS\system32\pnVes06
2008-04-26 09:59 . 2008-04-26 09:59   <DIR>   d--------   C:\Temp\zvebs14
2008-04-26 09:59 . 2008-04-26 09:59   <DIR>   d--------   C:\Temp\kvebs14
2008-04-26 09:59 . 2008-04-26 09:59   400,585   --a------   C:\WINDOWS\system32\g4.exe
2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Program Files\BillP Studios
2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Documents and Settings\User\Application Data\WinPatrol
2008-04-22 21:06 . 2008-04-22 21:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-04-22 21:06 . 2008-04-22 21:06   1,409   --a------   C:\WINDOWS\QTFont.for
2008-04-22 20:22 . 2008-04-22 20:22   <DIR>   d--------   C:\Program Files\CleanUp!
2008-04-20 10:01 . 2008-04-20 10:02   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\User\Application Data\Malwarebytes
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 07:24   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2003-03-12 00:39   32   --sha-w   C:\WINDOWS\{2FFF1D80-86D2-4182-B08D-B83B0BA71F57}.dat
2003-03-12 00:39   32   --sha-w   C:\WINDOWS\system32\{AA0C2FA6-E16C-49D0-B082-57DD9A57705D}.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Vcsron"="C:\Program Files\Vcsron\Vcsron.exe" [2008-04-26 10:02 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 09:07 5529600]
"nwiz"="nwiz.exe" [2005-01-26 09:07 1490944 C:\WINDOWS\system32\nwiz.exe]
"Disk Monitor"="C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe" [2008-01-08 08:27 440832]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 09:07 86016]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-07 22:35 455168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 08:27 278528]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 22:38 316728]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-03-12 15:04:53 102400]
InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2003-03-12 15:06:28 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJCUon]
rqRJCUon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7467:TCP"= 7467:TCP:BitComet 7467 TCP
"7467:UDP"= 7467:UDP:BitComet 7467 UDP

R1 GearAspiSys;GearAspiSys;C:\WINDOWS\system32\drivers\gearaspisys.sys [2002-06-24 11:00]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
S1 nvxbarr;nvxbarr;C:\WINDOWS\system32\drivers\nvxbarr.sys []
S2 BT848;CxVCap, WDM Video Capture;C:\WINDOWS\system32\drivers\cxvcap.sys [2002-08-14 20:03]
S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2001-04-11 17:58]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2001-04-11 17:58]
S2 CXTUNER;CxTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\CXTUNER.sys [2002-08-14 19:58]
S2 CXXBAR;CxXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\CXXBAR.sys [2002-08-14 19:58]
S2 nhksrv;Netropa NHK Server;C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe [2001-08-06 07:41]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]

*Newly Created Service* - CXTUNER
*Newly Created Service* - CXXBAR
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 10:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware .ex
- C:\Program Files\AntiSpywareApp
"2008-04-26 03:35:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-04-26 16:17:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 18:21:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
.
**************************************************************************
.
Completion time: 2008-04-30 18:26:07 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-01 01:26:04

Pre-Run: 4,014,170,112 bytes free
Post-Run: 4,019,470,336 bytes free

167   --- E O F ---   2008-04-09 10:04:51
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 07:36:39 PM
I just tried saving my Combofix log but when I when to click "Save as", notepad automatically closed by itself.

I know the CFScript step is next, but since I can't save the notepad files on my own, can you help save a CFScript.txt for me, and then attach it so I can d/l the entire file. As long as I don't open up notepad and try and save it, I'm ok.

Also, vcsron is still on my Add/Remove list.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on April 30, 2008, 08:13:13 PM
cfscript log attached.

Drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Next:

Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files
When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start > Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:Agree to the prompt to perform the action...


Next:

 Please download    ATF Cleaner by Atribune (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25)and save it to your Desktop
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of: The rest are optional - if you want to remove everything, check Select All
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
It is important to restart the computer after running ATF Cleaner.

Next post
Combofix log
Fresh Hijackthis log



[recovering space - attachment deleted by admin]
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 08:36:33 PM
ComboFix 08-04-29.5 - User 2008-04-30 19:26:35.9 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.326 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\cfscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\g4.exe
C:\WINDOWS\system32\winpfz33.sys
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\zvebs14
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\g4.exe
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\system32\pnVes06\pnVes061083.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wTMP
C:\WINDOWS\VXNlcg

.
(((((((((((((((((((((((((   Files Created from 2008-04-01 to 2008-05-01  )))))))))))))))))))))))))))))))
.

2008-04-29 21:17 . 2008-04-29 21:17   <DIR>   d--------   C:\Program Files\Vcsron
2008-04-29 18:12 . 2008-04-30 18:16   <DIR>   d--------   C:\SDFix
2008-04-26 10:26 . 2008-04-26 10:35   578   --a------   C:\WINDOWS\index.html
2008-04-26 10:06 . 2008-04-30 10:10   109,738   --a------   C:\WINDOWS\BM1f8c01e5.xml
2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Program Files\BillP Studios
2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Documents and Settings\User\Application Data\WinPatrol
2008-04-22 21:06 . 2008-04-22 21:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-04-22 21:06 . 2008-04-22 21:06   1,409   --a------   C:\WINDOWS\QTFont.for
2008-04-22 20:22 . 2008-04-22 20:22   <DIR>   d--------   C:\Program Files\CleanUp!
2008-04-20 10:01 . 2008-04-20 10:02   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\User\Application Data\Malwarebytes
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 07:24   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2003-03-12 00:39   32   --sha-w   C:\WINDOWS\{2FFF1D80-86D2-4182-B08D-B83B0BA71F57}.dat
2003-03-12 00:39   32   --sha-w   C:\WINDOWS\system32\{AA0C2FA6-E16C-49D0-B082-57DD9A57705D}.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-04-30_18.25.51.17   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 01:21:23   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
+ 2008-05-01 02:28:34   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
- 2008-05-01 01:21:26   16,384   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-01 02:28:35   16,384   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-01 01:21:26   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-01 02:28:35   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-01 01:21:26   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-01 02:28:35   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Vcsron"="C:\Program Files\Vcsron\Vcsron.exe" [2008-04-26 10:02 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 09:07 5529600]
"nwiz"="nwiz.exe" [2005-01-26 09:07 1490944 C:\WINDOWS\system32\nwiz.exe]
"Disk Monitor"="C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe" [2008-01-08 08:27 440832]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 09:07 86016]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-07 22:35 455168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 08:27 278528]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 22:38 316728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-03-12 15:04:53 102400]
InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2003-03-12 15:06:28 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_SZ            msv1_0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7467:TCP"= 7467:TCP:BitComet 7467 TCP
"7467:UDP"= 7467:UDP:BitComet 7467 UDP

R1 GearAspiSys;GearAspiSys;C:\WINDOWS\system32\drivers\gearaspisys.sys [2002-06-24 11:00]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
R2 BT848;CxVCap, WDM Video Capture;C:\WINDOWS\system32\drivers\cxvcap.sys [2002-08-14 20:03]
R2 CXTUNER;CxTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\CXTUNER.sys [2002-08-14 19:58]
R2 CXXBAR;CxXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\CXXBAR.sys [2002-08-14 19:58]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe [2001-08-06 07:41]
S1 nvxbarr;nvxbarr;C:\WINDOWS\system32\drivers\nvxbarr.sys []
S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2001-04-11 17:58]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2001-04-11 17:58]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 10:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware .ex
- C:\Program Files\AntiSpywareApp
"2008-04-26 03:35:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-04-26 16:17:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 19:29:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-30 19:33:49 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-01 02:33:43
ComboFix2.txt  2008-05-01 01:26:08

Pre-Run: 4,032,126,976 bytes free
Post-Run: 4,015,120,384 bytes free

162   --- E O F ---   2008-04-09 10:04:51
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 08:47:38 PM
Evil, while doing the CFScript with Combofix, I didn't turn off the internet. So after the log was produced, Winpatrol detected vcsron again. Also, I'm back in normal mode (which makes me even more scared of my pc's safety, and was able to save the Combofix log through notepad)

I already disabled the connection to my pc, and deleted vcsron. However, "csvnro" is now on the Add/Remove section.

I deleted the temp folder with offline contents, and also deleted cookies. SHould I continue with the cleanmgr, or get rid of csvnro first?
Also, I'm accessing the internet from my sis' pc right now
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on April 30, 2008, 09:01:53 PM
If it keeps coming back we need to find the source so don't delete it. Winpatrol is reporting that csvnro is being added but it doesn't mean it is malicious. Do you know what these are?

Finish with cleanmgr and please post a new Hijackthis log.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 09:07:08 PM
Looks and sound like bad stuff to me. I mean, the fact that it mixes the letters up after one is deleted is scary enough. It's really smart that way.. when I deleted vcsron the first time,  I ran a search to see if any trace of it was left. Search came up with nothing.

Then I checked the add/remove, and saw the Csvnro, so I did a search for that and it was in the Windows folder section.

Also, I thought Winpatrol could help protect the pc. It alerted me to stuff being installed, but even when I click "NO", they swarmed in. I'll get to work on the next steps.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 09:13:12 PM
Did cleanmgr (the temp files, temp internet, recycle bin all showed 0 kb when I selected them.. don't know if that's important)

Here's the new HJT log

[recovering space - attachment deleted by admin]
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 09:15:50 PM
Download  Vundofix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 09:21:43 PM
I don't recall VundoFix working well for me before, but let's hope it's different this time. I can run it in normal mode, correct?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 09:26:39 PM
Quote from: green tea on April 30, 2008, 09:21:43 PM
I don't recall VundoFix working well for me before, but let's hope it's different this time. I can run it in normal mode, correct?

Yes normal mode.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 09:31:14 PM
Huh, vundofix finished scanning and 0 infected files were found. Wonder why that is..

I still don't feel safe with the csvnro on my pc :-\
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 09:35:07 PM
Please run the  F-Secure Online Scanner (http://www.247fixes.com/forums/ipb_seo.php?url=http%3A%2F%2Fsupport.f-secure.com%2Fenu%2Fhome%2Fols.shtml)

Note: This Scanner works with Internet Explorer Only!
Cancel, then New Scan[/list]
If needed go to Start > Run > type Notepad.exe then press OK.
Paste the log into Notepad and save it to the desktop so it can easily be posted later.

This scan can take quite some time, so please be patient

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 09:37:52 PM
Do I need to be connected to the internet to use this scanner? I already disabled my internet..
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 09:38:33 PM
Yes you will need to be connected.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 09:45:35 PM
I'm really weary about connecting to the internet right now. I'm scared winpatrol will woof like crazy and a bunch of stuff get in like that. Can I get protected first?

My norton is really out of date, do you think I can get Avast first and then do this scan?  Or can I up my windows firewall so nothing can get in?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 09:51:58 PM
First download  Avast! (http://www.avast.com/eng/download-avast-home.html#DownloadAvastHomeEdition) Don't install it yet.

Uninstall all instances of Norton, Symantec and Live Update in add remove programs and then  Download and run the Norton Removal Tool (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039)

Now run the Avast installer and get all of the updates.

Then run the F-Secure online scan.

You have to connect to the internet at some point to install and get updates for Avast. If anything else gets in it is OK because we will find it. Please stop uninstalling or deleting anything. I need it to show up in a log so I know how to permanently get rid of it.

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 10:02:23 PM
ok, I enabled connection on my pc again and am currently d/ling Avast! It's barely at 36%..

I did a skim through the intro on the avast d/l page.. does the free edition not work after 60 days?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on April 30, 2008, 10:14:13 PM
You will need to get the free license key from  HERE (http://www.avast.com/eng/home-registration.php) which lasts for 14 months, then you again renew it for free.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 10:23:21 PM
Uninstalled about 4 things in Add/Remove and restarted. (When I uninstalled Norton, it asked about the items in quarantined and I hit entered as well.). After restarting, I ran the Norton Removal Tool.

Said yes to everything it asked, and then it rebooted. However, after the Windows load screen, the monitor was black again and showed "no signal". PC shut off, and rebooted... so now I'm in safe mode with networking
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 10:24:34 PM
Run MalwareBytes again, post the log.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 10:26:02 PM
Run MBAM before or after installing Avast?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 10:28:45 PM
After. It wouldn't hurt to run a full scan with Avast after posting the MBAM log as well.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 10:32:51 PM
Installing AVAST, and then it asked this:

Do you want to schedule boot-time antivirus scan of local harddrives? Scan will perform after pc restart.

Should I say yes or no? what does boot-time mean?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 10:36:49 PM
Answer no.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 10:38:58 PM
Ok thanks. I'm restarting now, and then will do MBAM.
....

Rebooted and was able to go to normal mode. Can I run MBAM in normal mode?
(sorry for all the questions every single step of the way.. and a big thank you for your patience)
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 10:44:29 PM
Yes run everything in normal mode unless the instructions say otherwise.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 10:59:31 PM
Couldn't do MBAM in normal mode-- after logging in normal mode, I waited several minutes for the regular icons on the tray to load (it usually takes a while). But then when I tried to click startup or MBAM icon, nothing happened. It was like the desktop was frozen.

So i shut down the computer and now it's rebooted back to Safe mode with networking. I'll run MBAM now, and hopefully this can help bring us back to normal mode (and one that works too).

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 11:50:38 PM
New MBAM log:

Malwarebytes' Anti-Malware 1.11
Database version: 660

Scan type: Full Scan (C:\|)
Objects scanned: 109974
Time elapsed: 47 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007231.dll (Adware.Bestrevenue) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007232.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007233.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007234.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007235.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007236.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007237.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007238.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007239.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007240.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007241.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007242.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007243.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on April 30, 2008, 11:52:09 PM
Normal mode?

If so try the F-Secure scan now. If not then run SDFix again.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on April 30, 2008, 11:53:26 PM
No, I ran this in safemode with networking (see above for reason).

I'll do SDFix again then.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 01, 2008, 12:12:05 AM
Able to completely run SDFix this time.. it rebooted to normal mode. Upon logging in, the SDFix window appeared and finish the process.


SDFix: Version 1.177
Run by User on 2008-04-30 at 10:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MRV47

Path :

MRV47 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\system32\sockins32.dll  - Deleted
C:\WINDOWS\winself.exe  - Deleted
C:\WINDOWS\system32\drivers\MRV47.sys - Deleted
C:\WINDOWS\system32\drivers\MRV47.sys - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 23:03:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:4ce74f62
"s1"=dword:1fb8e70e
"s2"=dword:a278c24d

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Documents and Settings\\User\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe"="C:\\Documents and Settings\\User\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe:*:Disabled:Symantec Removal Utility"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed  4 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 12 Mar 2003           119 A..HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Tue 26 Mar 2002         1,024 A..HR --- "C:\WINDOWS\system32\ntiembed.dll"
Tue 22 Apr 2008       145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Wed  7 Mar 2001       311,296 A..HR --- "C:\WINDOWS\system32\Tools\AC2K.exe"
Tue 20 Feb 2001       310,784 A..HR --- "C:\WINDOWS\system32\Tools\AC98.exe"
Tue 20 Feb 2001       311,296 A..HR --- "C:\WINDOWS\system32\Tools\ACL98.exe"
Tue 20 Feb 2001       311,808 A..HR --- "C:\WINDOWS\system32\Tools\ACLME.exe"
Fri 27 Apr 2001       327,168 A..HR --- "C:\WINDOWS\system32\Tools\All.exe"
Thu 23 Nov 2000       316,416 A..HR --- "C:\WINDOWS\system32\Tools\AutoClick.exe"
Tue 16 Oct 2001       363,008 A..HR --- "C:\WINDOWS\system32\Tools\Change.exe"
Wed 10 Apr 2002       547,840 A..HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
Thu 30 Aug 2001       381,440 A..HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
Sun 20 Jan 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelDv.exe"
Mon 19 Mar 2001       532,480 A..HR --- "C:\WINDOWS\system32\Tools\DeleteFiles.exe"
Sun 20 Jan 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelT2.exe"
Sun 20 Jan 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelT2Dv.exe"
Wed  6 Mar 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelTools.exe"
Mon 11 Mar 2002       361,472 A..HR --- "C:\WINDOWS\system32\Tools\LostRun.exe"
Mon  2 Apr 2001       296,960 A..HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
Thu  7 Mar 2002       369,152 A..HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
Thu  7 Mar 2002       382,464 A..HR --- "C:\WINDOWS\system32\Tools\Restart.exe"
Thu  7 Mar 2002       374,784 A..HR --- "C:\WINDOWS\system32\Tools\RunAP.exe"
Thu  7 Mar 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
Fri  2 Nov 2001       379,392 A..HR --- "C:\WINDOWS\system32\Tools\SDW98ME.exe"
Fri  9 Mar 2001       312,832 A..HR --- "C:\WINDOWS\system32\Tools\SoundDrv.exe"
Fri 12 Nov 2004        37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Wed 30 Apr 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT2.tmp"
Mon 26 Jun 2006       273,920 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL0003.tmp"
Mon  2 Oct 2006       632,832 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL0701.tmp"
Mon  2 Oct 2006       111,104 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL1421.tmp"
Sun 29 Oct 2006     1,031,680 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL1530.tmp"
Mon  2 Oct 2006       419,840 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL1910.tmp"
Mon  2 Oct 2006       210,432 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL2468.tmp"
Mon  2 Oct 2006       312,832 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL2915.tmp"
Mon  2 Oct 2006        70,144 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL3288.tmp"
Mon  2 Oct 2006       532,992 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL3469.tmp"

Finished!

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 01, 2008, 12:18:53 AM
After SDFix was done and the desktop loaded, A LOT of things happened.

Report.txt log showed
Then the Disk Monitor message popped up: "failure: Create Service, Error_Service_Exists"
The page for that Symantec/Norton Removal tool also appeared on it's own
A couple "your pc has recover from a serious error" showed up
AVAST! On Access Scanner is running ( it says 7 providers total, 6 running).
avast! virus recovery database is also running.

Winpatrol has detected a lot of things trying to install. Help???!!!
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 01, 2008, 12:29:31 AM
Should I approve this? Here's what's in the winpatrol new program alert:

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

I denied this a couple of times already, since I'm not sure if I should trust it or not.  Is this the authentic Avast program?

Also, out of the 7 Avast providers, 4 is now running. What does that mean?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 01, 2008, 12:31:53 AM
That is part of Avast.

ashdisp.exe is a process belonging to Avast Internet security suite. This utility forms an important part of your computers protection against Internet-bound viruses and worms, and should not be terminated.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 01, 2008, 12:38:26 AM
Ok, I approved that. Then winpatrol popped up with this message.

Winpatrol File Type Change Alert

Scotty is on patrol and has detected a change to one of your file type associations.                                                                                                                                                                                            .SCR

                                         
The program currently assoc. with this file type is:
No Icon       Name                                                                              Info
                   Company name
                   %1 /S


A change was made to use following program for this file type.
No Icon       Name                                                                              Info
                   Company name
                   %1 %*


Is this change ok?
Yes or No

.........
^I'm trying to replicate how it looks in the window. Evil, what is all this?? I have no clue what's going on.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 01, 2008, 12:43:43 AM
It is a screensaver file, but can be very dangerous. Don't open if you got one per mail.

Avast has a sceensaver setting so it is most likely related to that. Allow it.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 01, 2008, 12:47:12 AM
Ok I allowed it. Why is there a screensaver? And if it's dangerous, why is it there?

Also, can you do a rundown of how Winpatrol works? I thought it would just automatically stop everything trying to get in the pc without those popup alerts.

Also, does the number of Avast providers matter (say 4 vs 6)? If the more the better, how can I get back to having 7 providers running.

(Sorry for the nonstop questions) :o
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 01, 2008, 12:56:37 AM
I have never had all seven providers running on either of my PCs. Depending on what you use they will not all run. Double click on the Avast icon in the system tray then click the details tab near the bottom. You will see what all providers you have in the left side.

WinPatrol is a monitor. It alerts you to new programs installing themselves. If you have just downloaded or updated something it is common that you will get anywhere from 1, to 3 or 4 alerts from it. It is when you haven't downloaded anything that you need to really worry.

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 01, 2008, 01:05:04 AM
Oh ok, I understand now. They're seven different providers, and it depends on what other programs is running on the pc. If was on aim, then that particular one would be running right? Very nice!!

I said "NO" to everything that winpatrol asked when I first rebooted, so there's probably some more related to Avast. Hopefully, those will be asked again.

But I'm still paranoid about anything that pops up after this round.

so where to go from here... F-secure scan? csvnro is still lurking in my pc >:(
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on May 01, 2008, 01:12:32 AM
Quote
so where to go from here... F-secure scan? csvnro is still lurking in my pc

Yes the f-secure scan. Let everything run, without it running it may not show up in the scans. We need to get file paths for these items to know how to delete them.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 01, 2008, 01:16:03 AM
My java still needs to be updated. Should we do that first, or do the F-secure scan first and then update the Java later?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 01, 2008, 01:17:44 AM
You can update Java later, let's try to get all of the malware first.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 01, 2008, 07:58:57 AM
Left it scanning overnight and here's the result

Scanning Report
Thursday, May 01, 2008 00:22:02 - 06:53:12
Computer name: OWNER
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 3 malware found
Tracking Cookie (spyware)
System
Trojan-Downloader.Win32.Small (virus)
System
Trojan-Downloader.Win32.Small.uzg (virus)
C:\WINDOWS\SYSTEM32\CLBDLL.DLL

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 72642
System: 4405
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 3
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD0237.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-04-30
F-Secure AVP: 7.0.171, 2008-04-30
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on May 01, 2008, 11:34:31 AM
Now download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 and save it to your Desktop.
Code: [Select]
Comment:

Files to delete:
C:\WINDOWS\SYSTEM32\CLBDLL.DLL


Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 01, 2008, 07:00:19 PM
Hi Evil,

Here's the Avenger log... just to note, only the "Scan for rootkit" box was checkmarked. The "Delete" box under that wasn't checkmarked.


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\WINDOWS\SYSTEM32\CLBDLL.DLL" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\CLBDLL.DLL" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 02, 2008, 10:12:23 AM
OK, I wanted to be sure that file was gone and it is. Let's see what else might be lurking. Hopefully we are close to done.

Use the  Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 02, 2008, 07:17:44 PM
Quick question.. I already have Kaspersky Online Scanner in my Add/Remove program list (from the first time when you helped me in Jan.) Should I remove that first before I do this?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 02, 2008, 07:18:40 PM
Yes it would be best to remove that and start fresh. That way you will be sure to get all of the current updates.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 02, 2008, 09:31:12 PM
Ok, Kaspersky's still scanning, but I just came back to my pc and Avast detected a virus. Here's what it says..

A Virus Was Found!
File name: C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932     (I can't read rest of the file name since the window's small)

Malware name: VBS:Malware-gen
Malware type: Virus/Worm
VPS version: 080502-0, 2008-05-02

Available actions
Move/Rename, Delete, Repair, Move to Chest

Recommended action: Move to chest.

Can I just delete this??
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on May 02, 2008, 09:36:09 PM
Let Kaspersky finish and post the log.

That Avast warning will be taken care of easy enough. Just wait fo rkaspersky to finish.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 02, 2008, 09:40:09 PM
Oh, thanks for the quick response.

So should I just leave the Avast window open, or select "No Action"?? (Next to the No Action button, there's a note saying that "if you press the 'No Action' button, the malware will NOT be activated."

It looks like Kaspersky was scanning that same vbs file as well, and it's stuck there. The duration progress is the only thing changing while everything else is the same.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 02, 2008, 09:44:17 PM
No problem. C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932 is an isolated area from the rest of Windows so it can't do any harm.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 02, 2008, 09:45:24 PM
Evil, please read my above post. I modified it to add some new info
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 02, 2008, 09:51:06 PM
Give it a little more time and see if it progresses any. If it is stuck we will do some clean up and try again. It may just be on a large system file.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 02, 2008, 09:55:05 PM
Ok, I'll wait another 20 minutes and see if anything changes.

I'm worried about tomorrow. Seems the viruses attacked on two Saturdays in a row. Has there been any reported incidents like that, where the viruses come back every week? >:(
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on May 02, 2008, 10:00:30 PM
Real-time Virus Reporting - Last 24 hours

http://www.bitdefender.com/site/VirusInfo/realTimeReporting/
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 02, 2008, 10:23:08 PM
Ok, it's been about 50 minutes (at least) since Kaspersky has been on the same file and not progressed in the scanning. I really think it stopped when the Avast window popped up.

Do you still want me to wait, and if so, how much longer?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on May 02, 2008, 10:28:47 PM
No go ahead and exit out of it and lets clean up.

Download OTMoveIt2 by OldTimer  OTMoveIt2.exe (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Note: The restore point is what Avast flagged as infected. This will clear all infections from there.
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
.
Let me know how things are now.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 02, 2008, 10:31:04 PM
Before I run OTmoveit, do I do anything about the window with the Avast warning.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 02, 2008, 10:34:02 PM
If it gives an option to move it to the vault or delete it then either one of those will be fine.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 02, 2008, 10:35:56 PM
Ok, I chose Delete, instead of the Move it to the chest.

Will start OTMoveIt2 now
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 03, 2008, 12:59:11 AM
Finally able to reboot to normal mode without any problems, logged in and load desktop without problems, and have everything functional.
....
Here's what happened earlier. I finished OTMoveit and was prompted to reboot. I did that and rebooted to normal mode. Upon logging in, the Disk Monitor message popped up: "failure: Create Service, Error_Service_Exists"  I have NO CLUE why it appeared but closed it. Avast and Winpatrol was running but the Internet Connection said it was unplugged. Had to restart again.

This time, avast icon looked like it was lagging, and after a couple slow spin, it froze. The entire desktop froze and I couldn't do anything. Had to reboot, and it was basically an alternation between -- frozen desktop  or desktop with everything running except the internet. Along the way, I had trouble rebooting as well... after the window load screen, it would say "no signal" and the pc rebooted.

So now I'm wearing about having to shut down the machine too much.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 03, 2008, 01:05:09 AM
Also, after logging in and seeing everything working, I created a new restore point.

But here's my worry. When we removed all the viruses two week ago, I created a new restore point on 4/23. Then a couple days later on Saturday 4/26, the viruses hit. I tried to go to system restore, but only saw a restore point created on 4/26 at exactly the time the viruses entered my pc. Couldn't find the restore point I created at all.

Is that normal? Would I be able to go to my latest Restore Point if that happened?

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 03, 2008, 01:39:32 AM
Not sure. Lets give it 24 hours or so and see if everything starts to come back to normal.

Also go to www.secunia.com and check for updates again.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 04, 2008, 03:29:33 AM
Was looking at Avast! VRDB and mine was defaulted to "Generate VRDB only when screen-saver is running" I don't use a screen saver at all, just turn the monitor off when I'm not using my pc..

Would it be better to switch it to "Generate VRDB when computer is idle?" or should I do generate VRDB now?

Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 04, 2008, 09:10:15 AM
You can generate now if you like. It shouldn't slow down the PC any. If it does then do it when idle.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 04, 2008, 11:44:58 AM
Ok, I did generate now, and it finished.. so then I clicked on the "generate when idle".

So having a windows firewall + Avast + winpatrol is sufficient enought to protect my pc? Any other things I need to do?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc
Post by: evilfantasy on May 04, 2008, 11:48:35 AM
Sounds good. You might check out SpywareBlaster if you don't already have it.

 SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*  (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)

Learn more about how to protect yourself while on the internet read this article by Tony Klien:  So how did I get infected in the first place? (http://www.castlecops.com/postlite7736-.html)
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 04, 2008, 01:30:17 PM
Ok, I'll install SpywareBlaster then. I want 100% protection if possible.

Can you check this list from Winpatrol and advise on what I need to do. I'm worried about the ones detected today--I was d/ling a tv show via megaupload (I know, tsk tsk right? :-[) and then noticed that Scotty (winpatrol icon) looked like it was on a white dot. I immediately closed the d/l (which was at 4%) and then checked the list.

(http://i2.photobucket.com/albums/y21/chungie/Tech/IMG_5851.jpg)

Are the ones from Nvidia Corp legit? or can those get infected and replaced by inpersonators?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 04, 2008, 02:08:16 PM
I also just checked the "Active Tasks" tab in winpatrol and noticed WINPATROLEX.exe it was first detected around noon today as well. Under program descript, it says Winpatrol. And under company, it says BillP Studios.

Is this safe?
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: evilfantasy on May 04, 2008, 03:07:50 PM
Everything looks fine. BillP Studios is who makes WinPatrol. Unless WinPartol pops up saying anything everything should be fine.
Title: Re: Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
Post by: green tea on May 04, 2008, 04:14:43 PM
Good to know. I'll start on spywareblaster then. ;)