Elite Medai Pop/ Toolbar 888 Pop

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Elite Medai Pop/ Toolbar 888 Pop Help for a friend's computer

#1 Stoke

New Member

Group: Members
Posts: 6
Joined: 26-April 06

Posted 27 April 2006 - 09:44 AM

I have run Norton, Adaware, Spybot, and the online scanners but the crap just wont leave, I think it likes me :thumbsup:

The problems seem like the typical browser hijack/adware problem. Popups everywhere and plenty of browser reroutes.
(And wouldn't you know I mispell the second word I type on this forum)
-------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:36:58 AM, on 4/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\S2FyYSBIb3J0b24\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\elitemediapop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\uqzu\uqzum.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xtqju.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jpxnfns.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [uqzu] C:\PROGRA~1\COMMON~1\uqzu\uqzum.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BEF29A7-77CC-4BC9-A724-3D56D0C582EF}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BEF29A7-77CC-4BC9-A724-3D56D0C582EF}: NameServer = 166.102.165.11 166.102.165.13
O20 - AppInit_DLLs: repairs303169572.dll
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\fp8203loe.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2FyYSBIb3J0b24\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

This post has been edited by Stoke: 27 April 2006 - 09:46 AM

#2 Rawe

Forum Addict

Group: Members
Posts: 2,363
Joined: 05-July 05
Gender:Male
Location:Finland

Posted 27 April 2006 - 12:06 PM

Welcome: Lets get started. :thumbsup:

==

Please download Look2Me-Destroyer to your desktop.

Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Hi there, stranger!

#3 Stoke

New Member

Group: Members
Posts: 6
Joined: 26-April 06

Posted 27 April 2006 - 12:49 PM

Thanks for your help so far, hopefully we can get this thing cleared out. Here are the 2 logs you need.

L2M Destroyer:
------------------

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/27/2006 12:31:08 PM

Infected! C:\WINDOWS\system32\ir48l5hu1.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029178.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029198.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029203.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029225.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029230.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029368.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029372.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029424.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029428.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029447.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029452.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP434\A0029481.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP434\A0029489.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP435\A0029509.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP437\A0032467.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP438\A0032562.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP438\A0032563.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032573.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032586.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032600.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032604.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032605.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032610.dll
Infected! C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032615.dll
Infected! C:\WINDOWS\system32\ir48l5hu1.dll
Infected! C:\WINDOWS\system32\q268lcju1fo8.dll
Infected! C:\WINDOWS\system32\sUmlib.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\ir48l5hu1.dll
C:\WINDOWS\system32\ir48l5hu1.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029178.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029178.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029198.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029198.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029203.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029203.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029225.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029225.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029230.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029230.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029368.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029368.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029372.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029372.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029424.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029424.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029428.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029428.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029447.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029447.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029452.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP433\A0029452.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP434\A0029481.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP434\A0029481.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP434\A0029489.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP434\A0029489.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP435\A0029509.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP435\A0029509.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP437\A0032467.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP437\A0032467.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP438\A0032562.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP438\A0032562.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP438\A0032563.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP438\A0032563.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032573.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032573.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032586.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032586.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032600.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032600.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032604.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032604.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032605.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032605.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032610.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032610.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032615.dll
C:\System Volume Information\_restore{C8ED17E5-E033-4B45-B2FB-BA2077226AB5}\RP439\A0032615.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir48l5hu1.dll
C:\WINDOWS\system32\ir48l5hu1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q268lcju1fo8.dll
C:\WINDOWS\system32\q268lcju1fo8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sUmlib.dll
C:\WINDOWS\system32\sUmlib.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A5783DC5-A8DB-49E9-AA9A-C0F876AE04BD}"
HKCR\Clsid\{A5783DC5-A8DB-49E9-AA9A-C0F876AE04BD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F0B43E42-1227-4C08-A308-B72EC0FD38F2}"
HKCR\Clsid\{F0B43E42-1227-4C08-A308-B72EC0FD38F2}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

And the HijackThis log.
-------------
Logfile of HijackThis v1.99.1
Scan saved at 12:42:37 PM, on 4/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\S2FyYSBIb3J0b24\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\elitemediapop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\uqzu\uqzum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xtqju.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jpxnfns.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [uqzu] C:\PROGRA~1\COMMON~1\uqzu\uqzum.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BEF29A7-77CC-4BC9-A724-3D56D0C582EF}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BEF29A7-77CC-4BC9-A724-3D56D0C582EF}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BEF29A7-77CC-4BC9-A724-3D56D0C582EF}: NameServer = 166.102.165.11 166.102.165.13
O20 - AppInit_DLLs: repairs303169572.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2FyYSBIb3J0b24\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#4 Rawe

Forum Addict

Group: Members
Posts: 2,363
Joined: 05-July 05
Gender:Male
Location:Finland

Posted 27 April 2006 - 12:57 PM

Go ahead and delete Look2Me-Destroyer.

Lets continue :thumbsup:

==

Please download Brute Force Uninstaller to your desktop.

Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download SideKickFix by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).

Please close ALL other open windows & explorer folder's, then double-click on sidekickFix.bat.
Click YES and follow the prompts, when prompted to restart the PC please do so.

==

Once finished, do this:

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download QooFix.bat by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).

Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat.
Choose option 1# (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
Then please post back with a fresh HijackThis log. :flowers:

Hi there, stranger!

#5 Stoke

New Member

Group: Members
Posts: 6
Joined: 26-April 06

Posted 27 April 2006 - 01:30 PM

When I ran the qoofix.bat I got two error popups complaining about C:Windows/system32/regedit.com, is this normal? I hit ok on both of them after it was clear they weren't going to disappear on their own and everything after that went fine.

Edit: Ran some more things after update and got rid of a few things, posting updated Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 10:34:53 PM, on 4/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [hcewuf] C:\WINDOWS\system32\hkafuh.exe reg_run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [dylxv] C:\WINDOWS\system32\hkafuh.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BEF29A7-77CC-4BC9-A724-3D56D0C582EF}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BEF29A7-77CC-4BC9-A724-3D56D0C582EF}: NameServer = 166.102.165.11 166.102.165.13
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

This post has been edited by Stoke: 27 April 2006 - 10:37 PM

#6 Rawe

Forum Addict

Group: Members
Posts: 2,363
Joined: 05-July 05
Gender:Male
Location:Finland

Posted 28 April 2006 - 09:52 AM

Good job.. :thumbsup:

Lets continue.

==

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

Update your Ewido Anti-malware to its latest definitions.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

Once in Safe Mode, run a scan with HijackThis and check the following objects for removal if present:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [hcewuf] C:\WINDOWS\system32\hkafuh.exe reg_run
O4 - HKCU\..\Run: [dylxv] C:\WINDOWS\system32\hkafuh.exe reg_run
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab

Now close ALL other open windows except for HijackThis and hit FIX CHECKED.

==

Please run a scan with Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
Close Ewido Anti-Malware.

==

Now, reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log. :flowers:

Hi there, stranger!

#7 Stoke

New Member

Group: Members
Posts: 6
Joined: 26-April 06

Posted 28 April 2006 - 11:18 AM

Here ya go.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:09:07 AM, 4/28/2006
+ Report-Checksum: EBC1F6CB

+ Scan result:

:mozilla.34:C:\Documents and Settings\Kara Horton\Application Data\Mozilla\Firefox\Profiles\7xerrpyp.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Kara Horton\Application Data\Mozilla\Firefox\Profiles\7xerrpyp.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Kara Horton\Application Data\Mozilla\Firefox\Profiles\7xerrpyp.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Kara Horton\Application Data\Mozilla\Firefox\Profiles\7xerrpyp.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Kara Horton\Application Data\Mozilla\Firefox\Profiles\7xerrpyp.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Kara Horton\Application Data\Mozilla\Firefox\Profiles\7xerrpyp.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 11:14:41 AM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BEF29A7-77CC-4BC9-A724-3D56D0C582EF}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BEF29A7-77CC-4BC9-A724-3D56D0C582EF}: NameServer = 166.102.165.11 166.102.165.13
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#8 Rawe

Forum Addict

Group: Members
Posts: 2,363
Joined: 05-July 05
Gender:Male
Location:Finland

Posted 28 April 2006 - 01:11 PM

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

==

How does the system seem to be running now? :thumbsup:

Hi there, stranger!

#9 Stoke

New Member

Group: Members
Posts: 6
Joined: 26-April 06

Posted 28 April 2006 - 01:18 PM

System's running great. Thanks for all of your help.
There is one thing I'm still worried about though, this is a copy of my latest Spybot S&D scan report. As you will see NewDotNet and Smitfraud are still unable to be removed. What should I do about these?

--- Report generated: 2006-04-28 12:07 ---

Windows.ActiveDesktop: User settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-1417066420-1779672970-72185382-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=W=1

NewDotNet: User settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-18\Software\new.net

NewDotNet: User settings (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Software\new.net

Smitfraud-C.: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\drsmartload2

--- Spybot - Search && Destroy version: 1.3 ---
2006-04-21 Includes\Cookies.sbi
2006-04-21 Includes\Dialer.sbi
2006-04-21 Includes\Hijackers.sbi
2006-04-21 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2006-04-21 Includes\Malware.sbi
2006-04-21 Includes\PUPS.sbi
2006-04-21 Includes\Revision.sbi
2006-04-21 Includes\Security.sbi
2006-04-21 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-04-21 Includes\Trojans.sbi

This post has been edited by Stoke: 28 April 2006 - 01:19 PM

#10 Rawe

Forum Addict

Group: Members
Posts: 2,363
Joined: 05-July 05
Gender:Male
Location:Finland

Posted 28 April 2006 - 01:21 PM

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Hi there, stranger!

#11 Stoke

New Member

Group: Members
Posts: 6
Joined: 26-April 06

Posted 28 April 2006 - 01:30 PM

Hah, I'll get back to you in a while. 8 MB dl at 1.5KB a second is a long wait. Living in the country has it's drawback I suppose.

#12 Rawe

Forum Addict

Group: Members
Posts: 2,363
Joined: 05-July 05
Gender:Male
Location:Finland

Posted 07 May 2006 - 08:50 AM

Hows it going.. Still in need of help?

Hi there, stranger!

#13 Rawe

Forum Addict

Group: Members
Posts: 2,363
Joined: 05-July 05
Gender:Male
Location:Finland

Posted 17 May 2006 - 10:37 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.

Hi there, stranger!