DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   Infected by OuterInfo <again> GRRRRR (http://www.daniweb.com/forums/thread119596.html)

mickeybr Apr 17th, 2008 9:06 am
Infected by OuterInfo <again> GRRRRR
 
:@ I reinstalled that entire PC from scratch (reformated the drive). Something must have come back from a restore because I have this OuterInfo crap on the PC that keeps popping up ads.

When try to uninstall it, it asks for me to type in characters from a graphic as a turing test (I imagine to keep automated programs from removing it). Ridiculous. Of course when I entered the characters it was only removed "temporarily".

Here's my HijackThis log....

Can someone help me get this to go away?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:42 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1208331713\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Documents and Settings\Sherri Brown\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Sherri Brown\Application Data\Microsoft\Windows\xqokrm.exe
C:\Documents and Settings\Sherri Brown\My Documents\??crosoft.NET\w?nlogon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Xyron Wishblade Controller\XYWSSupervisor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:3476/cgi-bin/ncgir....eth_index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {134694C3-2970-7C80-061A-2900CCC9819E} - C:\WINDOWS\system32\sxbwsen.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1208331713\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Sherri Brown\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Sherri Brown\Application Data\Microsoft\Windows\xqokrm.exe
O4 - HKCU\..\Run: [Enao] "C:\PROGRA~1\ICROSO~1.NET\wucrtupd.exe" -vt yazb
O4 - HKCU\..\Run: [Amspih] "C:\Documents and Settings\Sherri Brown\My Documents\??crosoft.NET\w?nlogon.exe"
O4 - HKCU\..\Run: [wqmu] C:\PROGRA~1\COMMON~1\wqmu\wqmum.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Xyron Wishblade Status Supervisor.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://origin.games.yahoo.net/games/clients/y/tt5_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207445245537
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1207445332188
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9980 bytes

crunchie Apr 19th, 2008 3:08 am
Re: Infected by OuterInfo <again> GRRRRR
 
Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

mickeybr Apr 21st, 2008 1:33 am
Re: Infected by OuterInfo <again> GRRRRR
 
Ok... ComboFix was run....

The log along with the HJT log is below.
I also deleted some Internet Security Site shortcut on the desktop that pointed back to the OuterInfo website... :angry:

Here's the logs.... and thanks for the help... :)

ComboFixLog.txt

ComboFix 08-04-20.2 - Sherri Brown 2008-04-21 0:16:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.492 [GMT -4:00]
Running from: C:\Documents and Settings\Sherri Brown\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sherri Brown\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Sherri Brown\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Sherri Brown\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Sherri Brown\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Sherri Brown\My Documents\CROSOF~1.NET
C:\Documents and Settings\Sherri Brown\My Documents\CROSOF~1.NET\w?nlogon.exe
C:\Documents and Settings\Sherri Brown\My Documents\DOBE~1
C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-16 04:19 . 2008-04-16 04:19 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-16 04:19 . 2008-04-16 04:19 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-16 04:19 . 2008-04-16 04:19 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER
2008-04-16 04:19 . 2008-04-16 04:19 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2008-04-16 04:18 . 2008-04-16 04:18 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-08 07:21 . 2008-04-08 07:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-04-08 00:18 . 2008-04-08 00:18 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-07 09:00 . 2008-04-17 18:37 6 --a------ C:\WINDOWS\msoffice.ini
2008-04-07 08:50 . 2008-04-07 08:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-07 07:03 . 2008-04-20 19:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-06 22:52 . 2008-04-06 22:52 <DIR> d-------- C:\Program Files\AOL 9.0a
2008-04-06 22:48 . 2008-04-06 22:48 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-04-06 22:43 . 2008-04-06 22:48 <DIR> d-------- C:\Program Files\AOL 9.0
2008-04-06 22:42 . 2008-04-06 22:42 335 --a------ C:\WINDOWS\nsreg.dat
2008-04-06 22:38 . 2008-04-06 22:38 44 --a------ C:\WINDOWS\wininit.ini
2008-04-06 15:44 . 2008-04-06 15:44 <DIR> d-------- C:\Program Files\Connected Software
2008-04-06 15:41 . 2008-04-06 15:41 <DIR> d-------- C:\Program Files\Samsung Network Printer Utilities
2008-04-06 15:40 . 2005-03-03 22:32 151,552 --a------ C:\WINDOWS\system32\SUGG1CI.exe
2008-04-06 15:40 . 2004-10-12 06:25 57,344 --a------ C:\WINDOWS\system32\SUGG1CI.dll
2008-04-06 15:40 . 2006-09-01 23:05 22,663 --a------ C:\WINDOWS\system32\SUGG1LMK.DLL
2008-04-06 15:40 . 2006-04-07 19:20 11,502 --------- C:\WINDOWS\Dr. Printer Icon.ico
2008-04-06 15:40 . 2005-09-10 00:04 555 --a------ C:\WINDOWS\system32\SUGG1LMK.SMT
2008-04-06 15:39 . 2008-04-06 15:39 <DIR> d-------- C:\WINDOWS\system32\drivers\Samsung
2008-04-06 15:39 . 2008-04-06 15:39 <DIR> d-------- C:\temp\CLP-300
2008-04-06 15:39 . 2008-04-06 15:39 <DIR> d-------- C:\Program Files\Samsung
2008-04-06 15:39 . 2006-06-12 19:06 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2008-04-06 15:00 . 2008-04-06 15:00 <DIR> d-------- C:\Program Files\Citrix
2008-04-06 14:43 . 2008-04-06 14:43 <DIR> d-------- C:\Program Files\TiVo
2008-04-06 14:43 . 2008-04-06 14:43 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2008-04-06 14:42 . 2008-04-06 14:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 14:37 . 2008-04-18 23:59 2,496 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-06 14:36 . 2008-04-08 07:20 <DIR> d-------- C:\Program Files\Yahoo! Games
2008-04-06 14:33 . 2008-04-21 00:20 <DIR> d-------- C:\Program Files\CyberPower PowerPanel Personal Edition
2008-04-06 14:30 . 2008-04-06 14:30 <DIR> d-------- C:\Program Files\Common Files\Zero G Software
2008-04-06 14:27 . 2008-04-06 14:27 77 --a------ C:\WINDOWS\ShowDesktop.scf
2008-04-06 14:00 . 2008-04-06 14:03 <DIR> d-------- C:\Program Files\Xyron Wishblade Create and Cut 8.1v1
2008-04-06 13:55 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-06 13:52 . 2008-04-06 13:52 <DIR> d-------- C:\Program Files\Xyron Wishblade Controller
2008-04-06 13:52 . 2008-04-06 13:52 <DIR> d-------- C:\Program Files\Xyron Wishblade
2008-04-06 13:52 . 2008-04-06 13:52 <DIR> d-------- C:\Program Files\XYRON
2008-04-06 13:52 . 2006-11-10 08:10 25,485 --a------ C:\WINDOWS\system32\GTCCRMON.DLL
2008-04-06 13:31 . 2008-04-20 09:53 2,608 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-06 13:27 . 2008-04-06 13:27 <DIR> d-------- C:\Program Files\iTunes
2008-04-06 13:27 . 2008-04-06 13:27 <DIR> d-------- C:\Program Files\iPod
2008-04-06 13:27 . 2008-04-21 00:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-06 13:27 . 2008-04-06 13:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-06 13:26 . 2008-04-06 13:26 <DIR> d-------- C:\Program Files\Bonjour
2008-04-06 13:25 . 2008-04-06 13:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-06 13:25 . 2008-04-06 13:26 <DIR> d-------- C:\Program Files\QuickTime
2008-04-06 13:25 . 2008-04-06 13:25 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-06 13:25 . 2008-04-06 13:25 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-06 13:18 . 2008-04-06 13:18 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-06 13:18 . 2008-04-17 18:40 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-06 13:17 . 2008-04-06 13:18 <DIR> d-------- C:\Program Files\AIM6
2008-04-06 13:14 . 2008-04-06 13:14 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-06 12:47 . 2008-04-06 12:47 <DIR> d-------- C:\Program Files\AMD
2008-04-06 12:47 . 2004-05-08 10:21 35,840 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-04-06 12:24 . 2008-04-06 12:24 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-06 12:24 . 2008-04-06 12:25 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-04-06 12:24 . 2005-04-20 07:32 2,916,352 --------- C:\WINDOWS\UNNMP.exe
2008-04-06 12:24 . 2006-06-07 09:16 47,894 --------- C:\WINDOWS\UNNMP.cfg
2008-04-06 12:23 . 2006-01-12 16:40 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-04-06 12:23 . 2008-04-06 12:24 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-04-06 12:22 . 2008-04-06 12:22 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-06 12:22 . 2008-04-06 12:24 <DIR> d-------- C:\Program Files\Ahead
2008-04-06 12:22 . 2005-07-29 11:12 2,977,792 --------- C:\WINDOWS\UNNeroVision.exe
2008-04-06 12:22 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-04-06 12:22 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-04-06 12:22 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-04-06 12:22 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-04-06 12:22 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-04-06 12:22 . 2006-06-07 09:16 179,288 --------- C:\WINDOWS\UNNeroVision.cfg
2008-04-06 12:22 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-04-06 12:22 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-04-06 12:22 . 2001-03-08 19:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2008-04-06 11:33 . 2008-04-21 00:04 488 --a------ C:\hpfr5550.xml
2008-04-06 11:23 . 2008-04-06 12:50 <DIR> d-------- C:\Program Files\Web Publish
2008-04-06 11:23 . 2003-07-08 14:45 970,752 --a------ C:\WINDOWS\system32\cdintf210.dll
2008-04-06 11:23 . 2004-10-07 21:16 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-04-06 11:06 . 2008-04-06 11:42 <DIR> d-------- C:\Program Files\The Print Shop 22
2008-04-06 11:06 . 2008-04-06 11:41 <DIR> d-------- C:\Program Files\Common Files\Broderbund
2008-04-06 11:02 . 2008-04-06 11:03 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-04-06 10:54 . 2008-04-06 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2008-04-06 10:46 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-04-06 10:46 . 2008-04-07 08:48 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-06 10:45 . 2008-04-06 10:45 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-06 10:45 . 2008-04-06 10:45 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-06 10:40 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-06 10:40 . 2004-08-04 00:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-06 10:38 . 2008-04-06 10:41 19,558 --a------ C:\WINDOWS\hpoins01.dat
2008-04-06 10:38 . 2003-04-22 10:24 16,606 --------- C:\WINDOWS\hpomdl01.dat
2008-04-06 08:55 . 2008-04-06 08:55 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-06 08:54 . 2008-04-06 10:39 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-06 08:53 . 2008-04-06 08:53 <DIR> d-------- C:\temp\HP All-in-One Series Web Release
2008-04-06 08:53 . 2008-04-06 15:39 <DIR> d-------- C:\temp
2008-04-06 08:48 . 2008-04-21 00:00 <DIR> d-------- C:\downloads
2008-04-06 08:06 . 2008-04-09 22:19 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-06 08:01 . 2008-04-06 08:01 <DIR> d-------- C:\Program Files\Support Tools
2008-04-06 00:58 . 2005-06-17 05:32 18,751,488 -ra------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-04-06 00:58 . 2005-06-17 05:28 9,409,536 -ra------ C:\WINDOWS\system32\RTLCPL.EXE
2008-04-06 00:58 . 2005-06-16 12:24 2,324,160 -ra------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-04-06 00:58 . 2005-06-02 04:31 294,912 -r------- C:\WINDOWS\alcupd.exe
2008-04-06 00:58 . 2005-06-02 04:43 200,704 -r------- C:\WINDOWS\alcrmv.exe
2008-04-06 00:58 . 2004-09-07 02:23 156,672 -ra------ C:\WINDOWS\system32\RTLCPAPI.dll
2008-04-06 00:58 . 2002-02-05 01:54 141,016 -ra------ C:\WINDOWS\system32\ALSNDMGR.WAV
2008-04-06 00:58 . 2005-06-14 06:36 77,824 -ra------ C:\WINDOWS\SOUNDMAN.EXE
2008-04-06 00:58 . 2005-05-18 01:38 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-04-06 00:31 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-06 00:26 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-06 00:26 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-06 00:26 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-06 00:24 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-05 23:52 . 2008-04-05 23:52 48 --a------ C:\WINDOWS\pccillin.ini
2008-04-05 23:38 . 2007-09-17 15:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-04-05 23:38 . 2007-04-12 06:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-04-05 23:38 . 2007-09-17 15:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-04-05 23:38 . 2007-04-12 06:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-04-05 23:38 . 2007-04-12 06:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-04-05 23:38 . 2007-09-17 15:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-04-05 23:37 . 2008-04-06 14:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 22:36 . 2008-04-05 22:36 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-05 22:36 . 2008-04-05 22:36 <DIR> d-------- C:\WINDOWS\peernet
2008-04-05 22:36 . 2008-04-16 03:59 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-04-05 22:35 . 2008-04-05 22:35 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-05 22:33 . 2008-04-05 22:33 <DIR> d-------- C:\WINDOWS\EHome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 22:37 --------- d-----w C:\Documents and Settings\Sherri Brown\Application Data\AOL
2008-04-17 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-16 07:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-07 20:30 499,392 ----a-w C:\WINDOWS\java\Packages\5JZLZ1NX.ZIP
2008-04-07 18:12 --------- d-----w C:\Documents and Settings\Sherri Brown\Application Data\Viewpoint
2008-04-07 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-07 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-07 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-04-07 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-04-07 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2008-04-07 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-04-07 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-06 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-06 18:01 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2008-04-06 18:01 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
2008-04-06 01:45 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-06 01:44 558,142 ----a-w C:\WINDOWS\java\Packages\EKMPND3X.ZIP
2008-04-06 01:44 155,995 ----a-w C:\WINDOWS\java\Packages\2833DFJR.ZIP
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-08 02:03 --------- d-----w C:\Documents and Settings\Sherri Brown\Application Data\Move Networks
2008-03-06 10:12 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-06 10:12 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 16:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-07-01 18:26 167 ---h--w C:\Documents and Settings\Sherri Brown\hpothb07.dat
2006-09-03 20:44 366 ---h--w C:\Documents and Settings\Sherri Brown\Application Data\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{134694C3-2970-7C80-061A-2900CCC9819E}]
C:\WINDOWS\system32\sxbwsen.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"PowerPanel Personal Edition User Interaction"="C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 14:39 315392]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2006-07-11 07:23 1174528]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2006-07-11 07:24 341504]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2006-07-11 07:26 1313792]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"Enao"="C:\PROGRA~1\ICROSO~1.NET\wucrtupd.exe" [ ]
"Amspih"="C:\Documents and Settings\Sherri Brown\My Documents\??crosoft.NET\w?nlogon.exe" [ ]
"wqmu"="C:\PROGRA~1\COMMON~1\wqmu\wqmum.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 06:58 3429904]
"SoundMan"="SOUNDMAN.EXE" [2005-06-14 06:36 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Par1284;Par1284;C:\Program Files\Xyron Wishblade Create and Cut 8.1v1\Program\Par1284.sys [2006-10-16 08:47]
R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c968051c-df96-11db-9274-0015f29cc96f}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 01:54:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-06 14:42:28 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1207492891.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 00:20:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\SHERRI~1\LOCALS~1\Temp\TFR3.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Xyron Wishblade Controller\XYWSSupervisor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-21 0:25:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 04:25:48

Pre-Run: 72,260,870,144 bytes free
Post-Run: 73,234,792,448 bytes free

270 --- E O F --- 2008-04-21 04:05:10



Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:29 AM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Xyron Wishblade Controller\XYWSSupervisor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:3476/cgi-bin/ncgir....eth_index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {134694C3-2970-7C80-061A-2900CCC9819E} - C:\WINDOWS\system32\sxbwsen.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Enao] "C:\PROGRA~1\ICROSO~1.NET\wucrtupd.exe" -vt yazb
O4 - HKCU\..\Run: [Amspih] "C:\Documents and Settings\Sherri Brown\My Documents\??crosoft.NET\w?nlogon.exe"
O4 - HKCU\..\Run: [wqmu] C:\PROGRA~1\COMMON~1\wqmu\wqmum.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Xyron Wishblade Status Supervisor.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://origin.games.yahoo.net/games/clients/y/tt5_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207445245537
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1207445332188
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8794 bytes

crunchie Apr 21st, 2008 7:05 am
Re: Infected by OuterInfo <again> GRRRRR
 
Can you please do the following.



===============

Go to Add/Remove programs and uninstall the following, if present:

Viewpoint Manager

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {134694C3-2970-7C80-061A-2900CCC9819E} - C:\WINDOWS\system32\sxbwsen.dll (file missing)

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Enao] "C:\PROGRA~1\ICROSO~1.NET\wucrtupd.exe" -vt yazb
O4 - HKCU\..\Run: [Amspih] "C:\Documents and Settings\Sherri Brown\My Documents\??crosoft.NET\w?nlogon.exe"
O4 - HKCU\..\Run: [wqmu] C:\PROGRA~1\COMMON~1\wqmu\wqmum.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

===============

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

mickeybr Apr 21st, 2008 11:43 pm
Re: Infected by OuterInfo <again> GRRRRR
 
Thanks crunchie...

So far so good. Here's the latest HJT file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:57 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Xyron Wishblade Controller\XYWSSupervisor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:3476/cgi-bin/ncgir....eth_index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Xyron Wishblade Status Supervisor.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://origin.games.yahoo.net/games/clients/y/tt5_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207445245537
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1207445332188
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8388 bytes

crunchie Apr 22nd, 2008 6:57 am
Re: Infected by OuterInfo <again> GRRRRR
 
Congratulations! Your log looks clean.

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.
  1. Uncheck "Cookies" under "Internet Explorer".
  2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
  3. Close when finished.

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.


All times are GMT -4. The time now is 12:07 pm.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC