Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups


  • Please log in to reply
1 reply to this topic

#1 borst68

borst68

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 27 June 2005 - 09:54 AM

I have so many popups and spyware I can not hardly function. Here is my hijack this log. Can someone help me get my machine clean?


Logfile of HijackThis v1.99.1
Scan saved at 8:52:58 AM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\bin\iPodService.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Aprps\CxtPls.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O1 - Hosts: 6}&mSkip=1&rnd=22433", 600000, "TRUE");
O1 - Hosts: ');
O1 - Hosts: setTimeout("sendExternalEvent('EVENT:UPDATECRC:3125877753')", 2500);
O1 - Hosts: </SCRIPT>
O1 - Hosts: head>
O1 - Hosts: <BODY>
O1 - Hosts: T" ID="myScript"></SCRIPT>
O1 - Hosts: </BODY>
O1 - Hosts: <HEAD>
O1 - Hosts: <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O1 - Hosts: <META HTTP-EQUIV="Expires" CONTENT="-1">
O1 - Hosts: </HEAD>
O1 - Hosts: </html>
O1 - Hosts: <script language=JavaScript>
O1 - Hosts: var myRepeatArray = new Array();
O1 - Hosts: D, Url, Timeout, Repeat) {
O1 - Hosts: {
O1 - Hosts: if (myRepeatArray[ID] > 0) {
O1 - Hosts: myRepeatArray[ID]--;
O1 - Hosts: setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', 0, 'FALSE')", Timeout);
O1 - Hosts: setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', " + Timeout + ", '" + Repeat + "')", Timeout);
O1 - Hosts: }
O1 - Hosts: }
O1 - Hosts: else {
O1 - Hosts: if (!Timeout) {
O1 - Hosts: window.document.getElementById('myScript').src = "";
O1 - Hosts: window.document.getElementById('myScript').src = Url;
O1 - Hosts: }
O1 - Hosts: else setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', 0, '" + Repeat + "')", Timeout);
O1 - Hosts: }
O1 - Hosts: }
O1 - Hosts: www.look2me.com/cgi-bin/SelectorV2?ID={D1BD2B9F-9DC6-4451-815F-67429F658AF6}&mSkip=1&rnd=1716", 180000, "FALSE");
O1 - Hosts: myRepeatArray[3] = "10";
O1 - Hosts: myRepeatArray[2] = "3";
O1 - Hosts: ementById('myScript').src = Url;
O1 - Hosts: }
O1 - Hosts: else setTimeout("sendExternalUrl(" + ID + ",'" + Url + "', 0, '" + Repeat + "')", Timeout);
O1 - Hosts: }
O1 - Hosts: }
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: estroy
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: r-search.com
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: Spybot - Search & Destroy
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Quicken Startup.lnk.disabled
O4 - Global Startup: Billminder.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://*.realpage.com
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/adobe/MTSI...dplayernow.html
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} (RealPage Web Objects) - http://onesite.realpage.com/coreglobal/Rea...ab/Realpage.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1091890951998
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.47/ttinst.cab
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\fcusd.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks, Keri

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2005 - 07:50 AM

Hi Keri and Welcome to the Bleeping Computer!

I need to have a look at a folder on your System please!

Locate C:\Program Files\Aprps<< Right Click and Select "Send To" then Select "Compressed(Zipped)Folder"

Email that Zipped Folder here>> filesubmit@charter.net

You have whats called the Look2Me Infection so download the L2MFix from

http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.

Once that Scan has finished,Run this Scanner:

Please Download the MWAV Scanner from Here

Unzip it to its predetermined Directory (C:\Kaspersky)

Locate "kavupd.exe" in the New Folder and Double Click to Update!

If you it says the signatures are more than 30 days old, keep trying!
Keep trying until you get the actual signatures!

When you see "Updates downloaded Successfully"

Please Press Enter to Continue!

It should open automatically>Leave the "Default Settings ticked" and add a "tick" "Drives">this will light up "All Drives">Click "Scan Clean" to begin!

This Scan will take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

Once the Scan has finished,All entries Identified as Infected will displayed in the lower pane!

Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!

Open a Blank Notepad Page and Paste the results (Ctrl+V) to it!

Post those results back here along with the Log from the L2MFix!

If you encounter an Autoexec.bat error while trying to Scan with L2MFix

Click Here and Click the link thats appropriate to your Operating System!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users