ExtremeG Posted April 15, 2008 Share Posted April 15, 2008 I was just browsing the net and this pop up came up on my screen called antispyware master which I hadn't installed and it started doing a scan on my computer and it came up with all these things so clicked the X to close it then I got this folder in my start>programs called outerinfo containing a RTF called terms and a uninstaller that doesn't work. So I run adware SE with the latest definitions and clear up some stuff then I run spybot and it comes up with "Alexa Related" so I check the box to fix that, then I go on WinPatrol which has been notifying me of everything that happened, I go on active tasks and kill some of the processes that look dodgy and immediately my CPU usage dropped from 100% to 5% but I still haven't got rid of it as I'm getting security warnings and WinPatrol keeps popping up saying " I done a scan with Ewido Security Suite and this is the report: + Duration: 84 min + Scanned Files: 160264 + Speed: 31.68 Files/Second + Infected files: 0 + Removed files: 0 + Files put in quarantine: 0 + Files that could not be opened: 30 + Files that could not be cleaned: 0 + Ignore extension: Yes + Binder: Yes + Crypter: Yes + Memory: No + Archives: No + Heuristic: No + Scanned items: C:\ + Scan result: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> File could not be opened C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> File could not be opened C:\Documents and Settings\User\Favorites\???????.url -> File could not be opened C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_744.dat -> File could not be opened C:\Documents and Settings\User\NTUSER.DAT -> File could not be opened C:\Documents and Settings\User\ntuser.dat.LOG -> File could not be opened C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened C:\Documents and Settings\LocalService\NTUSER.DAT -> File could not be opened C:\Documents and Settings\LocalService\ntuser.dat.LOG -> File could not be opened C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat -> File could not be opened C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG -> File could not be opened C:\Documents and Settings\NetworkService\NTUSER.DAT -> File could not be opened C:\Documents and Settings\NetworkService\ntuser.dat.LOG -> File could not be opened C:\hiberfil.sys -> File could not be opened C:\pagefile.sys -> File could not be opened C:\Program Files\LimeWire\Incomplete\T-6652526-jme sens vide?.mp3 -> File could not be opened C:\WINDOWS\system32\ace2\bmv35gui.exe -> File could not be opened C:\WINDOWS\system32\config\default -> File could not be opened C:\WINDOWS\system32\config\default.LOG -> File could not be opened C:\WINDOWS\system32\config\SAM -> File could not be opened C:\WINDOWS\system32\config\SAM.LOG -> File could not be opened C:\WINDOWS\system32\config\SECURITY -> File could not be opened C:\WINDOWS\system32\config\SECURITY.LOG -> File could not be opened C:\WINDOWS\system32\config\software -> File could not be opened C:\WINDOWS\system32\config\software.LOG -> File could not be opened C:\WINDOWS\system32\config\system -> File could not be opened C:\WINDOWS\system32\config\system.LOG -> File could not be opened ::Report End Also in WinPatrol I have these in my IE helpers, should I remove them? rqrpmlih.dll hgghfdbb.dll {9c160a27-687a-4b38-7069} On Active Tasks I have 2 instances of Lsass.exe, one is LSA shell (export version) and the other comes up as unknown title. Help Link to comment Share on other sites More sharing options...
Juts Posted April 15, 2008 Share Posted April 15, 2008 I'de recommend try a tool called combofix, we've been using it a work, and it's a powerful tool. http://www.bleepingcomputer.com/combofix/how-to-use-combofix Some antivirus programs will recognize it as a virus, but i promise it is a legit tool. Also, you might want to try a tool called hijackthis. It can generate a log report of suspicious activity, and then help identify the problem components. Link to comment Share on other sites More sharing options...
AdzzzUK Posted April 15, 2008 Share Posted April 15, 2008 Also in WinPatrol I have these in my IE helpers, should I remove them? rqrpmlih.dll hgghfdbb.dll {9c160a27-687a-4b38-7069} Yes, remove them. Also download *either* SuperAntiSpyware Free Edition, or Spybot Search & Destroy (or both!), and run a full scan. Once the scans are run, reboot, download HijackThis, run a full scan and post the log file as a reply to this thread. HTH, Ad Link to comment Share on other sites More sharing options...
ExtremeG Posted April 15, 2008 Author Share Posted April 15, 2008 Ok I tried removing those IE helpers but only the one in the brackets went away for good, those other two keep coming back so I downloaded those programs and will get a HijackThis log up when that gets done. Link to comment Share on other sites More sharing options...
Juts Posted April 15, 2008 Share Posted April 15, 2008 How did it go? Link to comment Share on other sites More sharing options...
ExtremeG Posted April 15, 2008 Author Share Posted April 15, 2008 Well took ages, I updated my spybot to the current version and it picked up tonnes of stuff then I ran super antispyware and cleared loads of stuff out so I rebooted and installed then ran HijackThis and my log is as follows: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:51:49, on 15/04/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HDD Thermometer\HDD Thermometer.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\User\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.transtec.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.2 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\System32\hgghfdbb.dll O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll (file missing) O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent O4 - HKLM\..\Run: [Run DLL] C:\WINDOWS\System32\svchost64.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [ptrun32] C:\WINDOWS\System32\ptrun32\ptrun32.exe -startup O4 - HKLM\..\Run: [TimeOut] C:\Program Files\Common Files\TimeOutPC\TimeOutPC.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer\HDD Thermometer.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: PlexTools Professional.lnk = C:\Program Files\Plextor\PlexTool.exe O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldwinner.com/games/v42/br...ut/brickout.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: hgghfdbb - C:\WINDOWS\SYSTEM32\hgghfdbb.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8707 bytes I'm still getting errors and pop ups from WinPatrol asking me to allow rjgdfp.dll every few minutes Link to comment Share on other sites More sharing options...
ExtremeG Posted April 16, 2008 Author Share Posted April 16, 2008 I keep getting these pop ups: Buffer Overrun Detected Program C:\WINDOWS\explorer.exe and regsvr32.exe application error the instruction at "0x771214ec" referenced memory at "0x771214ec" the memory could not be "read" click ok to terminate what should I do? Link to comment Share on other sites More sharing options...
sameru Posted April 18, 2008 Share Posted April 18, 2008 ive been meaning to post this reply soooo bad. i found a simple easy way to get rid of the awful lame program knowned as antispyware which installs itself to your computer (i dont know how) and makes its home, cammouflaged from spyware searching programs such as spybot-search and destroy and many more. the first thing i did was to look inside the c drive because everyone knows that everything thats installed in your comp always end up there ( i think), anyway youll find the folder antispyware there but dont delete it (youll need it for the uninstallation, you can delete it once you've done the uninstallation). do a search on your comp (you know the search that searches for all the files inside your comp only) and do a search for antispyware <--- just like i typed it (do a search for all files and folders). youll get the results of all the files in your comp with the name antispyware including the uninstall file, double click the uninstall anitspyware file, follow prompt and bye bye antispyware ;). i know this because i just got that cursed thing today and amazingly even thou im such a comp noob i figured it out in less than 15 minutes :p. i do ask that everyone that reads this post to please past it on to other forums, lots of people are having problems with this spy software and are calling out for help, help them like i helped you k? that's, all enjoy freedom!!!!!! ^_^ Link to comment Share on other sites More sharing options...
AdzzzUK Posted April 18, 2008 Share Posted April 18, 2008 Thanks for posting your HijackThis log - sorry for the delay I've only just got notification of a reply! Re-run HijackThis (run a scan only), and select the following entries, then click "Fix selected items" O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\System32\hgghfdbb.dll O4 - HKLM\..\Run: [Run DLL] C:\WINDOWS\System32\svchost64.exe O20 - Winlogon Notify: hgghfdbb - C:\WINDOWS\SYSTEM32\hgghfdbb.dll Also go to the following sites and run a full scan from both sites: Panda ActiveScan Trend Micro HouseCall Post back and let us know how you're getting on. Cheers, Ad Link to comment Share on other sites More sharing options...
ExtremeG Posted April 20, 2008 Author Share Posted April 20, 2008 I ran ActiveScan and it detected 1 active virus which I was allowed to disinfect as a free user, then ran HouseCall which took hours and it cleaned up some stuff but said it couldn't fix Troj_Vundo.bmf and showed a list of dodgy .dll files in my C:/windows/system32 folder I'm still getting pop ups from WinPatrol asking me if I should allow dodgyfile.dll and I'm getting pop ups from spybot constantly about changed registry settings and stuff Link to comment Share on other sites More sharing options...
Recommended Posts