Guys, about this "Adware Softomate".....

[reles]

Everytime I run the scan with AVG anti spyware, I get a list of adwares, all of them I can delete. But I always get this Adware Softomate (which I can see has some reputation). Whenever I try to delete it or put it into quaranteene, I get told that I can't because "The file C:/WINDOWS/b122.exe.bin.vir/b122.exe cannot be quarantined (or deleted for that matter) because it is embedded in the archive C:/QooBox/Quarantine/C/WINDOWS/b122.exe.bin.vir"

It then asks me if I want to quarantine (or delte for that matter) the whole archive, but I get the feeling that I shouldn't; otherwise I will mess things up.

Or won't I?

Is there any other approach to this?

[Lisandro]

Seems that you can quarantine all the archive.
Does avast detect it as infected or only AVGas?

[oldman]

C:/QooBox is combofix's quaratine. You can delete it.


edit to add

did you ever get rid of this one

 C:\WINDOWS\system32\sstqo.dll

[reles]

Seems that you can quarantine all the archive.
Does avast detect it as infected or only AVGas?

That's a good question. I have runned scans with Avast and it always detect two files but I forgot to save the name of the files. Therefore, I'm not sure if it's the same file (then again, it's two files that Avast detects)

So I'm just gonna go ahead and quarantene the whole archive next time.

[reles]

C:/QooBox is combofix's quaratine. You can delete it.


edit to add

did you ever get rid of this one

 C:\WINDOWS\system32\sstqo.dll

Apparently I did, because I just searched for that file and I didn't find it.

[oldman]

It will most likely be a hidden file. I just looked at your old log and found another file. C:\WINDOWS\system32\drivers\lvuvc.hs.

If you wish. I can have a look if you'd like. Let me know and I'll give you a link for a new combofix and instructions for ruunning it.

[reles]

It will most likely be a hidden file. I just looked at your old log and found another file. C:\WINDOWS\system32\drivers\lvuvc.hs.

If you wish. I can have a look if you'd like. Let me know and I'll give you a link for a new combofix and instructions for ruunning it.

A new combofix? I'm wondering if it's the same one I have. Either way, give me the link and I'll take a look at it.

[essexboy]

I'll drop it in for Oldman   

Please download ComboFix from

Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
[list=1]

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[reles]

Thank you

By the way:

I have an old version of Java (1.4.2). A long time ago I was told in this same forum to update it. I actually never got to do that. So I revisited the old thread and went to the link http://www.java.com/en/download/manual.jsp#win

But it's only showing Java versions for Windows Vista. I have Windows XP. Will that version work anyway for me?

[oldman]

Thanks essexboy.

Post the combofix log and I'll have a look as well as an HJT log.

For your java

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows  Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.





 

[DavidR]

I hadn't noticed there had been a JAVA update so I checked my usual download source (MajorGeeks.com - http://) and I couldn't believe the size, it is reported as a 71.3MB download (about 4 and a half hours), that can't be right ?

Not a hope on dial-up with a two hour cut off, so a very long time even with a download manager, if it is possible to download with a download manager.

Edit, looks like MajorGeeks got it wrong as it is reported as 7.1MB on Sun's download.

[reles]

Gentlemen


The log:





ComboFix 08-03-04.3 - il Dottore 2008-03-05 19:23:29.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.174 [GMT -8:00]
Running from: C:\Documents and Settings\il Dottore\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2008-02-06 to 2008-03-06  )))))))))))))))))))))))))))))))
.

2008-02-23 16:55 . 2008-02-23 16:59   <DIR>   d--------   C:\Documents and Settings\il Dottore\Application Data\Sibelius Software

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 00:40   0   ----a-w   C:\WINDOWS\system32\drivers\lvuvc.hs
2008-02-24 00:59   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Sibelius Software
2008-02-24 00:49   ---------   d-----w   C:\Program Files\Sibelius Software
2008-02-24 00:29   ---------   d-----w   C:\Program Files\Finale 2002
2008-01-30 06:43   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-12-07 01:07   659,456   ----a-w   C:\WINDOWS\system32\wininet.dll
2007-07-27 02:19   604   ---ha-w   C:\Program Files\STLL Notifier
2007-04-01 21:36   258   ----a-w   C:\Program Files\First Theorem.sn2
2004-04-13 16:13   35,456   ----a-w   C:\WINDOWS\Fonts\requiem1.zip
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76FCFD22-C40A-4764-8420-AFE2C4654ECD}]
         C:\WINDOWS\system32\sstqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 03:24 65536]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 19:34 3084288]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-24 23:52 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-04-15 20:01 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 18:00 126976]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 15:01 1019904]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [2002-01-31 10:59 61440]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-11-20 17:24 26112]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-14 13:10 6731312]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00 267064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]

C:\Documents and Settings\il Dottore\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2005-03-09 11:49:38 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-04-11 07:23:36 113664]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-07-24 23:52:32 67128]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-07-19 17:53:18 57344]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 13:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-11-20 16:58:56 155648]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 11:29:12 1568768]

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 01:07]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 11:50]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 00:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 09:03]
S3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 17:38]
S3 VVBETHERNET;Efficient Networks Virtual Bus Ethernet driver;C:\WINDOWS\system32\DRIVERS\vvbEthT.sys [2002-05-22 17:26]
S3 VvBusUsb;Efficient Networks USB Virtual Bus driver;C:\WINDOWS\system32\drivers\vvbususb.sys [2002-05-22 17:26]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 06:09:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-06 01:26:15 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 19:28:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\RF Wireless Mouse\NoEdge.dll
-> C:\Program Files\RF Wireless Mouse\ASDll.dll
.
Completion time: 2008-03-05 19:30:55
ComboFix-quarantined-files.txt  2008-03-06 03:30:37
ComboFix2.txt  2008-02-21 08:40:32
.
2008-02-14 03:03:40   --- E O F --- 

[reles]

Thanks essexboy.

Post the combofix log and I'll have a look as well as an HJT log.

For your java

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows  Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.





 

Ok, in the heat of confussion due to all the things I'm doing at the same time; I made the mistake of actually running it and installing it. Is this going to be a problem or should I simply repeat the process from the start?

[oldman]

re:java

It shouldn't be a problem as long as the install went ok. The thing to watch for, is when you go to uninstall the old versions, you don't uninsall the new one as well. Same when deleting the old folders. If you do, don't panic, it can be reinstalled again.


We will need a hijackthis log also. Download it, but do not run it untill after the combofix run I will have you do.

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\drivers\lvuvc.hs

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76FCFD22-C40A-4764-8420-AFE2C4654ECD}]

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

[oldman]

I hadn't noticed there had been a JAVA update so I checked my usual download source (MajorGeeks.com - http://) and I couldn't believe the size, it is reported as a 71.3MB download (about 4 and a half hours), that can't be right ?

Not a hope on dial-up with a two hour cut off, so a very long time even with a download manager, if it is possible to download with a download manager.

Edit, looks like MajorGeeks got it wrong as it is reported as 7.1MB on Sun's download.

@DavidR
What I got for a file size was 15.18 mb for the off line install. This was from following the link I posted. The only way I knew that a new version was out was when I was testing my links earlier today.