Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FAO didom: L2M spyware cleanup


  • Please log in to reply
7 replies to this topic

#1 demos99

demos99

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 13 June 2005 - 05:07 AM

Hi didom,

Since we can't continue using the SWI forums to complete this clean up (due to their server failure), you suggested I should post the latest logs you requested here instead.

Having run the #2 option in L2MFIX, you asked for the resulting l2mfix log and the latest HJT log:

L2Mfix Log (Run 10/06/2005)

L2Mfix 1.03

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1208 'explorer.exe'
Killing PID 1208 'explorer.exe'
Killing PID 1208 'explorer.exe'
Killing PID 1208 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aza2l5fo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azamlcj11fo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azaq0gd5e60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azaqlgd5160.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cpmres.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn8801lue.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e220lcfm1f2a.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e6jm0g11e6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en42l1ho1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enr4l19q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f20o0cd3ef0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp2q03f5e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp8003lme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h2j4lc1q1f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h60q0gd5e60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr2s05f7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i0060adsed060.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i8600ijme8oa0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j26mlcj11fo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j6n20g5oe6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j6n2lg5o16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jr0025dmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0jsla171d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0nola531d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k4nole531h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt4ml7h11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktl0l73m1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktlql7351.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l2l6lc3s1f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv4q09h5e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv8409lqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m4rmle911h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m6po0g73e6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv4ol9h31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv6ql9j51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n82u0if9e82.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o2660cjsefo60.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o8roli9318.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r4r60e9seh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rSsmontr.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\aza2l5fo1.dll
Successfully Deleted: C:\WINDOWS\system32\aza2l5fo1.dll
deleting: C:\WINDOWS\system32\azamlcj11fo.dll
Successfully Deleted: C:\WINDOWS\system32\azamlcj11fo.dll
deleting: C:\WINDOWS\system32\azaq0gd5e60.dll
Successfully Deleted: C:\WINDOWS\system32\azaq0gd5e60.dll
deleting: C:\WINDOWS\system32\azaqlgd5160.dll
Successfully Deleted: C:\WINDOWS\system32\azaqlgd5160.dll
deleting: C:\WINDOWS\system32\cpmres.dll
Successfully Deleted: C:\WINDOWS\system32\cpmres.dll
deleting: C:\WINDOWS\system32\dn8801lue.dll
Successfully Deleted: C:\WINDOWS\system32\dn8801lue.dll
deleting: C:\WINDOWS\system32\e220lcfm1f2a.dll
Successfully Deleted: C:\WINDOWS\system32\e220lcfm1f2a.dll
deleting: C:\WINDOWS\system32\e6jm0g11e6.dll
Successfully Deleted: C:\WINDOWS\system32\e6jm0g11e6.dll
deleting: C:\WINDOWS\system32\en42l1ho1.dll
Successfully Deleted: C:\WINDOWS\system32\en42l1ho1.dll
deleting: C:\WINDOWS\system32\enr4l19q1.dll
Successfully Deleted: C:\WINDOWS\system32\enr4l19q1.dll
deleting: C:\WINDOWS\system32\f20o0cd3ef0.dll
Successfully Deleted: C:\WINDOWS\system32\f20o0cd3ef0.dll
deleting: C:\WINDOWS\system32\fp2q03f5e.dll
Successfully Deleted: C:\WINDOWS\system32\fp2q03f5e.dll
deleting: C:\WINDOWS\system32\fp8003lme.dll
Successfully Deleted: C:\WINDOWS\system32\fp8003lme.dll
deleting: C:\WINDOWS\system32\h2j4lc1q1f.dll
Successfully Deleted: C:\WINDOWS\system32\h2j4lc1q1f.dll
deleting: C:\WINDOWS\system32\h60q0gd5e60.dll
Successfully Deleted: C:\WINDOWS\system32\h60q0gd5e60.dll
deleting: C:\WINDOWS\system32\hr2s05f7e.dll
Successfully Deleted: C:\WINDOWS\system32\hr2s05f7e.dll
deleting: C:\WINDOWS\system32\i0060adsed060.dll
Successfully Deleted: C:\WINDOWS\system32\i0060adsed060.dll
deleting: C:\WINDOWS\system32\i8600ijme8oa0.dll
Successfully Deleted: C:\WINDOWS\system32\i8600ijme8oa0.dll
deleting: C:\WINDOWS\system32\j26mlcj11fo.dll
Successfully Deleted: C:\WINDOWS\system32\j26mlcj11fo.dll
deleting: C:\WINDOWS\system32\j6n20g5oe6.dll
Successfully Deleted: C:\WINDOWS\system32\j6n20g5oe6.dll
deleting: C:\WINDOWS\system32\j6n2lg5o16.dll
Successfully Deleted: C:\WINDOWS\system32\j6n2lg5o16.dll
deleting: C:\WINDOWS\system32\jr0025dmg.dll
Successfully Deleted: C:\WINDOWS\system32\jr0025dmg.dll
deleting: C:\WINDOWS\system32\k0jsla171d.dll
Successfully Deleted: C:\WINDOWS\system32\k0jsla171d.dll
deleting: C:\WINDOWS\system32\k0nola531d.dll
Successfully Deleted: C:\WINDOWS\system32\k0nola531d.dll
deleting: C:\WINDOWS\system32\k4nole531h.dll
Successfully Deleted: C:\WINDOWS\system32\k4nole531h.dll
deleting: C:\WINDOWS\system32\kt4ml7h11.dll
Successfully Deleted: C:\WINDOWS\system32\kt4ml7h11.dll
deleting: C:\WINDOWS\system32\ktl0l73m1.dll
Successfully Deleted: C:\WINDOWS\system32\ktl0l73m1.dll
deleting: C:\WINDOWS\system32\ktlql7351.dll
Successfully Deleted: C:\WINDOWS\system32\ktlql7351.dll
deleting: C:\WINDOWS\system32\l2l6lc3s1f.dll
Successfully Deleted: C:\WINDOWS\system32\l2l6lc3s1f.dll
deleting: C:\WINDOWS\system32\lv4q09h5e.dll
Successfully Deleted: C:\WINDOWS\system32\lv4q09h5e.dll
deleting: C:\WINDOWS\system32\lv8409lqe.dll
Successfully Deleted: C:\WINDOWS\system32\lv8409lqe.dll
deleting: C:\WINDOWS\system32\m4rmle911h.dll
Successfully Deleted: C:\WINDOWS\system32\m4rmle911h.dll
deleting: C:\WINDOWS\system32\m6po0g73e6.dll
Successfully Deleted: C:\WINDOWS\system32\m6po0g73e6.dll
deleting: C:\WINDOWS\system32\mv4ol9h31.dll
Successfully Deleted: C:\WINDOWS\system32\mv4ol9h31.dll
deleting: C:\WINDOWS\system32\mv6ql9j51.dll
Successfully Deleted: C:\WINDOWS\system32\mv6ql9j51.dll
deleting: C:\WINDOWS\system32\n82u0if9e82.dll
Successfully Deleted: C:\WINDOWS\system32\n82u0if9e82.dll
deleting: C:\WINDOWS\system32\o2660cjsefo60.dll
Successfully Deleted: C:\WINDOWS\system32\o2660cjsefo60.dll
deleting: C:\WINDOWS\system32\o8roli9318.dll
Successfully Deleted: C:\WINDOWS\system32\o8roli9318.dll
deleting: C:\WINDOWS\system32\r4r60e9seh.dll
Successfully Deleted: C:\WINDOWS\system32\r4r60e9seh.dll
deleting: C:\WINDOWS\system32\rSsmontr.dll
Successfully Deleted: C:\WINDOWS\system32\rSsmontr.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: aza2l5fo1.dll (164 bytes security) (deflated 5%)
adding: azamlcj11fo.dll (164 bytes security) (deflated 5%)
adding: azaq0gd5e60.dll (164 bytes security) (deflated 4%)
adding: azaqlgd5160.dll (164 bytes security) (deflated 5%)
adding: cpmres.dll (164 bytes security) (deflated 4%)
adding: dn8801lue.dll (164 bytes security) (deflated 5%)
adding: e220lcfm1f2a.dll (164 bytes security) (deflated 5%)
adding: e6jm0g11e6.dll (164 bytes security) (deflated 4%)
adding: en42l1ho1.dll (164 bytes security) (deflated 5%)
adding: enr4l19q1.dll (164 bytes security) (deflated 4%)
adding: f20o0cd3ef0.dll (164 bytes security) (deflated 4%)
adding: fp2q03f5e.dll (164 bytes security) (deflated 4%)
adding: fp8003lme.dll (164 bytes security) (deflated 4%)
adding: h2j4lc1q1f.dll (164 bytes security) (deflated 5%)
adding: h60q0gd5e60.dll (164 bytes security) (deflated 4%)
adding: hr2s05f7e.dll (164 bytes security) (deflated 5%)
adding: i0060adsed060.dll (164 bytes security) (deflated 5%)
adding: i8600ijme8oa0.dll (164 bytes security) (deflated 4%)
adding: j26mlcj11fo.dll (164 bytes security) (deflated 4%)
adding: j6n20g5oe6.dll (164 bytes security) (deflated 4%)
adding: j6n2lg5o16.dll (164 bytes security) (deflated 4%)
adding: jr0025dmg.dll (164 bytes security) (deflated 5%)
adding: k0jsla171d.dll (164 bytes security) (deflated 4%)
adding: k0nola531d.dll (164 bytes security) (deflated 5%)
adding: k4nole531h.dll (164 bytes security) (deflated 4%)
adding: kt4ml7h11.dll (164 bytes security) (deflated 4%)
adding: ktl0l73m1.dll (164 bytes security) (deflated 3%)
adding: ktlql7351.dll (164 bytes security) (deflated 4%)
adding: l2l6lc3s1f.dll (164 bytes security) (deflated 5%)
adding: lv4q09h5e.dll (164 bytes security) (deflated 4%)
adding: lv8409lqe.dll (164 bytes security) (deflated 4%)
adding: m4rmle911h.dll (164 bytes security) (deflated 5%)
adding: m6po0g73e6.dll (164 bytes security) (deflated 3%)
adding: mv4ol9h31.dll (164 bytes security) (deflated 5%)
adding: mv6ql9j51.dll (164 bytes security) (deflated 5%)
adding: n82u0if9e82.dll (164 bytes security) (deflated 4%)
adding: o2660cjsefo60.dll (164 bytes security) (deflated 5%)
adding: o8roli9318.dll (164 bytes security) (deflated 4%)
adding: r4r60e9seh.dll (164 bytes security) (deflated 3%)
adding: rSsmontr.dll (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: Desktop.ini (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 85%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 60%)
adding: report2.txt (164 bytes security) (deflated 60%)
adding: test.txt (164 bytes security) (deflated 82%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/7FB1C7DB-AFA9-42F3-8712-05356CC68CB8.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aza2l5fo1.dll
deleting local copy: azamlcj11fo.dll
deleting local copy: azaq0gd5e60.dll
deleting local copy: azaqlgd5160.dll
deleting local copy: cpmres.dll
deleting local copy: dn8801lue.dll
deleting local copy: e220lcfm1f2a.dll
deleting local copy: e6jm0g11e6.dll
deleting local copy: en42l1ho1.dll
deleting local copy: enr4l19q1.dll
deleting local copy: f20o0cd3ef0.dll
deleting local copy: fp2q03f5e.dll
deleting local copy: fp8003lme.dll
deleting local copy: h2j4lc1q1f.dll
deleting local copy: h60q0gd5e60.dll
deleting local copy: hr2s05f7e.dll
deleting local copy: i0060adsed060.dll
deleting local copy: i8600ijme8oa0.dll
deleting local copy: j26mlcj11fo.dll
deleting local copy: j6n20g5oe6.dll
deleting local copy: j6n2lg5o16.dll
deleting local copy: jr0025dmg.dll
deleting local copy: k0jsla171d.dll
deleting local copy: k0nola531d.dll
deleting local copy: k4nole531h.dll
deleting local copy: kt4ml7h11.dll
deleting local copy: ktl0l73m1.dll
deleting local copy: ktlql7351.dll
deleting local copy: l2l6lc3s1f.dll
deleting local copy: lv4q09h5e.dll
deleting local copy: lv8409lqe.dll
deleting local copy: m4rmle911h.dll
deleting local copy: m6po0g73e6.dll
deleting local copy: mv4ol9h31.dll
deleting local copy: mv6ql9j51.dll
deleting local copy: n82u0if9e82.dll
deleting local copy: o2660cjsefo60.dll
deleting local copy: o8roli9318.dll
deleting local copy: r4r60e9seh.dll
deleting local copy: rSsmontr.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aza2l5fo1.dll
C:\WINDOWS\system32\azamlcj11fo.dll
C:\WINDOWS\system32\azaq0gd5e60.dll
C:\WINDOWS\system32\azaqlgd5160.dll
C:\WINDOWS\system32\cpmres.dll
C:\WINDOWS\system32\dn8801lue.dll
C:\WINDOWS\system32\e220lcfm1f2a.dll
C:\WINDOWS\system32\e6jm0g11e6.dll
C:\WINDOWS\system32\en42l1ho1.dll
C:\WINDOWS\system32\enr4l19q1.dll
C:\WINDOWS\system32\f20o0cd3ef0.dll
C:\WINDOWS\system32\fp2q03f5e.dll
C:\WINDOWS\system32\fp8003lme.dll
C:\WINDOWS\system32\h2j4lc1q1f.dll
C:\WINDOWS\system32\h60q0gd5e60.dll
C:\WINDOWS\system32\hr2s05f7e.dll
C:\WINDOWS\system32\i0060adsed060.dll
C:\WINDOWS\system32\i8600ijme8oa0.dll
C:\WINDOWS\system32\j26mlcj11fo.dll
C:\WINDOWS\system32\j6n20g5oe6.dll
C:\WINDOWS\system32\j6n2lg5o16.dll
C:\WINDOWS\system32\jr0025dmg.dll
C:\WINDOWS\system32\k0jsla171d.dll
C:\WINDOWS\system32\k0nola531d.dll
C:\WINDOWS\system32\k4nole531h.dll
C:\WINDOWS\system32\kt4ml7h11.dll
C:\WINDOWS\system32\ktl0l73m1.dll
C:\WINDOWS\system32\ktlql7351.dll
C:\WINDOWS\system32\l2l6lc3s1f.dll
C:\WINDOWS\system32\lv4q09h5e.dll
C:\WINDOWS\system32\lv8409lqe.dll
C:\WINDOWS\system32\m4rmle911h.dll
C:\WINDOWS\system32\m6po0g73e6.dll
C:\WINDOWS\system32\mv4ol9h31.dll
C:\WINDOWS\system32\mv6ql9j51.dll
C:\WINDOWS\system32\n82u0if9e82.dll
C:\WINDOWS\system32\o2660cjsefo60.dll
C:\WINDOWS\system32\o8roli9318.dll
C:\WINDOWS\system32\r4r60e9seh.dll
C:\WINDOWS\system32\rSsmontr.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{7FB1C7DB-AFA9-42F3-8712-05356CC68CB8}"=-
[-HKEY_CLASSES_ROOT\CLSID\{7FB1C7DB-AFA9-42F3-8712-05356CC68CB8}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=31
****************************************************************************


HJT Log (Run 10/06/2005)

Logfile of HijackThis v1.99.1
Scan saved at 22:46:40, on 06/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] snss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA86D74-6CB5-49CB-9B08-36682FC5C811}: NameServer = 81.137.10.214
O17 - HKLM\System\CS1\Services\Tcpip\..\{5FA86D74-6CB5-49CB-9B08-36682FC5C811}: NameServer = 81.137.10.214
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hope that's all okay. Looking forward to getting this finished off. :thumbsup:

Cheers,
David

BC AdBot (Login to Remove)

 


m

#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 13 June 2005 - 05:26 AM

Looks much better!
  • Download CWShredder.

    Start Cwshredder and click FIX

  • Download CCleaner and install it. (Please do not run the CCleaner utility yet.)

  • Scan again with HijackThis and check the following items:

O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] snss.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] snss.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Make sure all hidden files and folders are visible (Instructions )
Reboot your computer into safe mode (Instructions)
  • Find and delete these files and folders (if they are still there):
    C:\WINDOWS\logon.exe <= this file

    Run a search for this file:
    snss.exe

  • Start CCleaner, click Run CCleaner (bottom right)

  • Run Ewido
    • Click on scanner
    • Make sure the following boxes are checked before scanning:
      • Binder
      • Crypter
      • Archives
    • Click on Start Scan
    • Let the program scan the machine
    While the scan is in progress you will be prompted to clean files, click OK

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot into normal mode. I need you to post the log from Ewido and a new HiJackThis log.


#3 demos99

demos99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 13 June 2005 - 07:26 AM

I need you to post the log from Ewido and a new HiJackThis log.

Done as you requested. Logs follow.

Ewido Log (Run 13/06/2005)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 13:19:12, 06/13/2005
+ Report-Checksum: 7DB199C

+ Date of database: 06/10/2005
+ Version of scan engine: v3.0

+ Duration: 27 min
+ Scanned Files: 29568
+ Speed: 18.22 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
No infected files found!


::Report End


HJT Log (Run 13/06/2005)

Logfile of HijackThis v1.99.1
Scan saved at 13:20:54, on 06/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\hjt\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA86D74-6CB5-49CB-9B08-36682FC5C811}: NameServer = 81.137.10.214
O17 - HKLM\System\CS1\Services\Tcpip\..\{5FA86D74-6CB5-49CB-9B08-36682FC5C811}: NameServer = 81.137.10.214
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Cheers,
David

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 13 June 2005 - 07:30 AM

Almost done :thumbsup:

Scan again with HijackThis and check the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Reboot your computer and post a new HijackThis log!

#5 demos99

demos99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 13 June 2005 - 10:04 AM

Reboot your computer and post a new HijackThis log!

Latest HJT log:

HJT Log (Run 13/06/2005)

Logfile of HijackThis v1.99.1
Scan saved at 15:59:17, on 06/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA86D74-6CB5-49CB-9B08-36682FC5C811}: NameServer = 81.137.10.214
O17 - HKLM\System\CS1\Services\Tcpip\..\{5FA86D74-6CB5-49CB-9B08-36682FC5C811}: NameServer = 81.137.10.214
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Cheers,
David

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 13 June 2005 - 10:16 AM

This log is clean!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts.

Please post back if you are still having any problems....

#7 demos99

demos99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 13 June 2005 - 10:50 AM

Hi didom,

Looks good. :thumbsup:

Many thanks for your help getting this cleared up. :flowers:

Appreciate it a lot.

Cheers,
David

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 13 June 2005 - 12:02 PM

You're welcome! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users