Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer Is Flooded With Popups


  • This topic is locked This topic is locked
14 replies to this topic

#1 eyes

eyes

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 06 November 2005 - 04:45 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:40:41 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\3dlTB.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\WINDOWS\system32\MiaSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\system32\3dlTB.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\g6402ghmg64a2.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: 3Dlabs LMM (miasvc) - Unknown owner - C:\WINDOWS\system32\MiaSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe



thanks for the support guys :thumbsup:

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:43 PM

Posted 07 November 2005 - 01:05 AM

Hello eyes,
You have a few nasty infections on your computer, so this will take several steps. :thumbsup:

Disable both Teatimer and Adwatch, as they will prevent registry changes.
After we have your computer clean, then you can enable them.

To disable Spybot S&D (Teatimer):
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

To disable Ad-Aware Ad-Watch:
Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic". Active: This will turn Ad-Watch On\Off without closing it Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with Hijackthis and place a checkmark next to each of the following items and click FIX CHECKED:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\g6402ghmg64a2.dll


Close HiJackThis.

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know. Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\sms_msn.exe <==file
C:\Program Files\Daily Weather Forecast\ <==folder
C:\WINDOWS\system32\g6402ghmg64a2.dll <==file



Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log.

Let me know if any problems persist.

Edited by SifuMike, 07 November 2005 - 01:12 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 eyes

eyes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 12 November 2005 - 05:07 AM

hello,
I did everything that you said to do but it seems that they have come back here are all of the reports.

HJT log:Logfile of HijackThis v1.99.1
Scan saved at 1:56:05 AM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\3dlTB.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\WINDOWS\system32\MiaSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\system32\3dlTB.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\l00ulad91d0.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: 3Dlabs LMM (miasvc) - Unknown owner - C:\WINDOWS\system32\MiaSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Ewido log: ---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:48:07 AM, 11/12/2005
+ Report-Checksum: E6E66ADE

+ Scan result:

HKU\S-1-5-21-1220945662-343818398-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44BE0690-5429-47F0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
[648] C:\WINDOWS\system32\pdnppagn.dll -> Spyware.Look2Me : Error during cleaning
[524] C:\WINDOWS\system32\pdnppagn.dll -> Spyware.Look2Me : Error during cleaning
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\096B4L67\gdnUS2218[1].exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\096B4L67\installer[1].exe -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4XYV09Q7\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4XYV09Q7\AppWrap[2].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GL6VK1YJ\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GL6VK1YJ\AppWrap[2].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GL6VK1YJ\drsmartload[1].exe -> Spyware.SmartLoad : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GL6VK1YJ\msresearch[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GL6VK1YJ\mte3ndm6odoxng[1].exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GL6VK1YJ\ucmoreiex[1].exe/UCMTSAIE.DLL -> Spyware.UCmore : Error during cleaning
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GL6VK1YJ\ucmoreiex[1].exe/IUCMORE.DLL -> Spyware.UCmore : Error during cleaning
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K12Z4HYN\AppWrap[1].exe -> Spyware.Zestyfind : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K12Z4HYN\AppWrap[2].exe -> Spyware.Zestyfind : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K12Z4HYN\contextplus[1].exe -> Trojan.Crypt.t : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K12Z4HYN\sp2update00[1].exe -> TrojanDownloader.VB.nh : Cleaned with backup
C:\Program Files\ATS2\quarantine\AppWrap[1].exe -> Spyware.Zestyfind : Cleaned with backup
C:\Program Files\ATS2\quarantine\AppWrap[2].exe -> Spyware.Zestyfind : Cleaned with backup
C:\Program Files\Netrefox\Cache\00003d6c_43693ca6_000baeb9 -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Program Files\Netrefox\Cache\00004cd4_4368202b_000f0537 -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Program Files\Netrefox\Cache\00005039_43681fff_00022551 -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Program Files\Personal Antispy\lview.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\msresearch.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Sm9lbA\asappsrv.dll -> Spyware.CommAd : Cleaned with backup
C:\WINDOWS\Sm9lbA\command.ex$ -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\system32\amrsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cxmaddin.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fppo0373e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\irn4l55q1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\iwrdbg32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lv2809fue.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mbgentr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mjxml2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mwiole32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rjfsaps.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\vsrifier.dll -> Spyware.Look2Me : Cleaned with backup


::Report End

Smitfiles:
smitRem İ log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 11/11/2005
The current time is: 14:26:58.54

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:


thanks for all the help, and for future help :flowers: i really need to get this stuff fixed its killing my compter.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:43 PM

Posted 12 November 2005 - 10:54 AM

It looks like you did not disable Teatimer and Adwatch, so the fix did not work and we will have to do it again. :thumbsup:

Disable both Teatimer and Adwatch, as they will prevent registry changes.
After we have your computer clean, then you can enable them.

To disable Spybot S&D (Teatimer):
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

To disable Ad-Aware Ad-Watch:
Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic". Active: This will turn Ad-Watch On\Off without closing it Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with Hijackthis and place a checkmark next to each of the following items and click FIX CHECKED:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\l00ulad91d0.dll


Close HiJackThis.

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know. Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\Program Files\P.S.Guard\ <==folder
C:\Program Files\Daily Weather Forecast\ <==folder
C:\WINDOWS\system32\l00ulad91d0.dll <==file



Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan.
Remove all it finds. You will need to post the log so I can see it.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report,
a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log.

We still have the Look2me infection to fix.

Edited by SifuMike, 12 November 2005 - 01:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 eyes

eyes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 12 November 2005 - 03:45 PM

hello again,
still got those damned popups but I think we are getting closer. here are the new logs

HJT:Logfile of HijackThis v1.99.1
Scan saved at 12:37:39 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\3dlTB.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\WINDOWS\system32\MiaSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\system32\3dlTB.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\enrsl1971.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: 3Dlabs LMM (miasvc) - Unknown owner - C:\WINDOWS\system32\MiaSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe





Ad-Aware:
Lavasoft Ad-aware Professional Build 162
Logfile created on :Saturday, November 12, 2005 12:07:45 PM
Using reference-file :0R150 05.07.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 11-12-2005 7:55:18 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 11-12-2005 7:55:21 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 11-12-2005 7:55:23 PM
BasePriority : Normal
FileSize : 105 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft Windows Operating System
Created on : 8/4/2004 12:56:56 AM
Last accessed : 11/12/2005 7:25:45 PM
Last modified : 8/4/2004 12:56:56 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 11-12-2005 7:55:23 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft Windows Operating System
Created on : 8/4/2004 12:56:52 AM
Last accessed : 11/12/2005 7:25:45 PM
Last modified : 8/4/2004 12:56:52 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 11-12-2005 7:55:24 PM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 8/4/2004 12:56:58 AM
Last accessed : 11/12/2005 7:25:45 PM
Last modified : 8/4/2004 12:56:58 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 11-12-2005 7:55:24 PM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 8/4/2004 12:56:58 AM
Last accessed : 11/12/2005 7:25:45 PM
Last modified : 8/4/2004 12:56:58 AM

#:7 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 11-12-2005 7:55:26 PM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft Windows Operating System
Created on : 8/4/2004 12:56:56 AM
Last accessed : 11/12/2005 7:25:45 PM
Last modified : 8/4/2004 12:56:56 AM

#:8 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 11-12-2005 7:56:35 PM
BasePriority : Normal
FileSize : 67 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
OriginalFilename : NOTEPAD.EXE
ProductName : Microsoft Windows Operating System
Created on : 8/4/2004 12:56:56 AM
Last accessed : 11/12/2005 8:00:29 PM
Last modified : 8/4/2004 12:56:56 AM

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 11-12-2005 8:00:19 PM
BasePriority : Normal
FileSize : 1008 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft Windows Operating System
Created on : 8/4/2004 12:56:50 AM
Last accessed : 11/12/2005 8:07:20 PM
Last modified : 8/4/2004 12:56:50 AM

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 11-12-2005 8:07:40 PM
BasePriority : Normal
FileSize : 732 KB
FileVersion : 6.0.1.164
ProductVersion : 6.0.0.0
Copyright : Copyright Lavasoft Sweden
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 11/2/2005 11:04:23 PM
Last accessed : 11/12/2005 8:07:40 PM
Last modified : 2/9/2003 5:18:32 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Disk scan result for C:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0

12:11:05 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:03:20:312
Objects scanned :89941
Objects identified :0
Objects ignored :0
New objects :0



Smitfiles:
smitRem İ log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 11/12/2005
The current time is: 11:57:43.06

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :thumbsup:




Ewido: ---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:30:43 PM, 11/12/2005
+ Report-Checksum: BB6ABF1A

+ Scan result:

[652] C:\WINDOWS\system32\aipmgr.dll -> Spyware.Look2Me : Error during cleaning
[1468] C:\WINDOWS\system32\aipmgr.dll -> Spyware.Look2Me : Error during cleaning
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.0k0\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GL6VK1YJ\ucmoreiex[1].exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GL6VK1YJ\ucmoreiex[1].exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\system32\pyspl.dll -> Spyware.Look2Me : Cleaned with backup


::Report End

thanks again for all the help :flowers:

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:43 PM

Posted 12 November 2005 - 04:23 PM

Looks better, but you forgot to post the Panda scan report. :thumbsup:

I need to see what it found. If it found any malware, then we need to delete it.

Then we will tackle the popups caused by the Look2Me infection.

Edited by SifuMike, 12 November 2005 - 04:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 eyes

eyes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 12 November 2005 - 04:46 PM

the panda soft scan didnt give me a report because it doesnt scan my computer for some reason it just tells me i have an error on the page when i try to scan, and yes i did install the activex:) not sure what to do about it. thanx

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:43 PM

Posted 12 November 2005 - 04:49 PM

Try this scanner:
Trend Micro Housecall Online virus scanner

After it runs, save the log and post it. :thumbsup:

Edited by SifuMike, 12 November 2005 - 04:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 eyes

eyes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 13 November 2005 - 07:57 PM

ok then here is the report that i got from the new thing you told me to use.

Virus Scan 0 virus cleaned, 0 virus deleted


Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 0 spyware program removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 2 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 2 spyware(s) passed, 0 spyware(s) no action available
- 0 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_1701 Cookie Pass
COOKIE_2281 Cookie Pass




Microsoft Vulnerability Check No vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix

:thumbsup: so now how about these popups? thanx

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:43 PM

Posted 13 November 2005 - 08:06 PM

The virus scan looks clean, so lets go after the popups. :thumbsup:

Download the trial version of Spy Sweeper

Install it using the Standard Install option.
(You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Make sure you are disconnected from the internet.

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C.
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer, and then please copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.

Edited by SifuMike, 13 November 2005 - 08:07 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 eyes

eyes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 13 November 2005 - 11:41 PM

ok this is the newest HJT scan that i did after the spy sweeper
it seems that everything is working ok thank you so much man :thumbsup:

HJT : Logfile of HijackThis v1.99.1
Scan saved at 8:36:44 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\WINDOWS\system32\MiaSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\3dlTB.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\system32\3dlTB.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: 3Dlabs LMM (miasvc) - Unknown owner - C:\WINDOWS\system32\MiaSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



Spy sweeper: ********
5:18 PM: | Start of Session, Sunday, November 13, 2005 |
5:18 PM: Spy Sweeper started
5:18 PM: Sweep initiated using definitions version 572
5:18 PM: Starting Memory Sweep
5:18 PM: Found Adware: icannnews
5:18 PM: Detected running threat: C:\WINDOWS\system32\jt8u07l9e.dll (ID = 83)
5:19 PM: Detected running threat: C:\WINDOWS\system32\3flCP.dll (ID = 83)
5:19 PM: Memory Sweep Complete, Elapsed Time: 00:01:02
5:19 PM: Starting Registry Sweep
5:19 PM: Found System Monitor: stealth webpage recorder
5:19 PM: HKLM\software\blazing tools\ (4 subtraces) (ID = 142923)
5:19 PM: Found Adware: popuper
5:19 PM: HKCR\clsid\{3bf1f86f-b1a8-489b-8d8b-43781d51411f}\ (4 subtraces) (ID = 849554)
5:19 PM: HKLM\software\classes\clsid\{3bf1f86f-b1a8-489b-8d8b-43781d51411f}\ (4 subtraces) (ID = 849828)
5:19 PM: Found Adware: command
5:19 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
5:19 PM: Found Adware: search helping wizard
5:19 PM: HKCR\ngsh35.clsdw\ (3 subtraces) (ID = 958369)
5:19 PM: HKCR\ngsh35.clsis\ (3 subtraces) (ID = 958373)
5:19 PM: HKCR\clsid\{392baf48-a26a-45b5-9263-97128e429268}\ (13 subtraces) (ID = 958397)
5:19 PM: HKCR\clsid\{58ec3e97-3510-4bdb-8771-ff8337479dba}\ (13 subtraces) (ID = 958411)
5:19 PM: HKCR\typelib\{a7e74cb8-70e3-4edb-85af-244ab888b833}\ (9 subtraces) (ID = 958482)
5:19 PM: HKLM\software\classes\ngsh35.clsdw\ (3 subtraces) (ID = 958516)
5:19 PM: HKLM\software\classes\ngsh35.clsis\ (3 subtraces) (ID = 958520)
5:19 PM: HKLM\software\classes\clsid\{392baf48-a26a-45b5-9263-97128e429268}\ (13 subtraces) (ID = 958544)
5:19 PM: HKLM\software\classes\clsid\{58ec3e97-3510-4bdb-8771-ff8337479dba}\ (13 subtraces) (ID = 958558)
5:19 PM: HKLM\software\classes\typelib\{a7e74cb8-70e3-4edb-85af-244ab888b833}\ (9 subtraces) (ID = 958630)
5:19 PM: HKLM\system\currentcontrolset\services\cmdservice\ (11 subtraces) (ID = 958670)
5:19 PM: Found System Monitor: perfect keylogger
5:19 PM: HKU\S-1-5-21-1220945662-343818398-839522115-500\software\blazing tools\ (2 subtraces) (ID = 136699)
5:19 PM: Found Adware: targetsaver
5:19 PM: HKU\S-1-5-21-1220945662-343818398-839522115-500\software\tsl2\ (1 subtraces) (ID = 143616)
5:19 PM: Registry Sweep Complete, Elapsed Time:00:00:06
5:19 PM: Starting Cookie Sweep
5:19 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:19 PM: Starting File Sweep
5:20 PM: tsupdate[1].ini (ID = 112322)
5:20 PM: installer_1[1].exe (ID = 185727)
5:24 PM: 113_dollarrevenue_4_0_3_9[1].exe (ID = 166444)
5:24 PM: Found Adware: apropos
5:24 PM: atmtd.dll._ (ID = 166754)
5:24 PM: wingenerics.dll (ID = 50187)
5:24 PM: atmtd.dll (ID = 166754)
5:24 PM: ma65ve.vbs (ID = 185675)
5:24 PM: File Sweep Complete, Elapsed Time: 00:04:57
5:24 PM: Full Sweep has completed. Elapsed time 00:06:08
5:24 PM: Traces Found: 141
8:30 PM: Removal process initiated
8:30 PM: Quarantining All Traces: icannnews
8:30 PM: icannnews is in use. It will be removed on reboot.
8:30 PM: C:\WINDOWS\system32\jt8u07l9e.dll is in use. It will be removed on reboot.
8:30 PM: C:\WINDOWS\system32\3flCP.dll is in use. It will be removed on reboot.
8:30 PM: Quarantining All Traces: perfect keylogger
8:30 PM: Quarantining All Traces: popuper
8:30 PM: Quarantining All Traces: stealth webpage recorder
8:30 PM: Quarantining All Traces: apropos
8:30 PM: Quarantining All Traces: command
8:30 PM: Quarantining All Traces: search helping wizard
8:30 PM: Quarantining All Traces: targetsaver
8:31 PM: Removal process completed. Elapsed time 00:01:15
********
5:13 PM: | Start of Session, Sunday, November 13, 2005 |
5:13 PM: Spy Sweeper started
5:14 PM: Your spyware definitions have been updated.
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:18 PM: | End of Session, Sunday, November 13, 2005 |

Edited by eyes, 13 November 2005 - 11:43 PM.


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:43 PM

Posted 14 November 2005 - 12:17 AM

Your logs looks clean, :thumbsup: but lets dig deeper and see if all the remenents Look2me are gone. Sometimes it leaves some garbage behind.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Edited by SifuMike, 14 November 2005 - 12:21 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 eyes

eyes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 15 November 2005 - 03:07 AM

ok here it is

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FB00214F-2B30-432D-6A54-3610F96EAE2F}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{6F8CC873-D8F2-4086-9288-F7F03ECF55BF}"="3Dlabs CPL Extension V3"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{3360F4D2-926C-46D0-BA14-C815D8806A5B}"=""
"{EBDF1F20-C829-11D1-8233-0020AF3E97A6}"="ATS Context Menu Shell Extension"
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aŭ Context Menu Shell Extension"
"{44B85A53-DAA6-4300-B1E9-8DA3CDD01CF3}"=""
"{84FE33EB-23B2-4C29-8868-5022FB04D2D5}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3360F4D2-926C-46D0-BA14-C815D8806A5B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3360F4D2-926C-46D0-BA14-C815D8806A5B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3360F4D2-926C-46D0-BA14-C815D8806A5B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3360F4D2-926C-46D0-BA14-C815D8806A5B}\InprocServer32]
@="C:\\WINDOWS\\system32\\vsrifier.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{44B85A53-DAA6-4300-B1E9-8DA3CDD01CF3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{44B85A53-DAA6-4300-B1E9-8DA3CDD01CF3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{44B85A53-DAA6-4300-B1E9-8DA3CDD01CF3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{44B85A53-DAA6-4300-B1E9-8DA3CDD01CF3}\InprocServer32]
@="C:\\WINDOWS\\system32\\amrsvc.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bassmod.dll Tue Nov 1 2005 5:30:22p A.... 34,308 33.50 K
browseui.dll Fri Sep 2 2005 3:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 3:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 5:53:42p A.... 2,067,968 1.97 M
danim.dll Fri Sep 2 2005 3:52:04p A.... 1,053,696 1.00 M
dxtrans.dll Fri Sep 2 2005 3:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 3:52:04p A.... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 7:09:36p A.... 280,064 273.50 K
gpn2l3~1.dll Sun Nov 13 2005 3:47:42p ..S.R 233,874 228.39 K
haspvdd.dll Mon Oct 24 2005 11:28:50a A.... 6,656 6.50 K
iepeers.dll Fri Sep 2 2005 3:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 3:52:04p A.... 96,256 94.00 K
islzma.dll Fri Oct 21 2005 3:50:14p A.... 102,912 100.50 K
linkinfo.dll Wed Aug 31 2005 5:41:54p A.... 19,968 19.50 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 3:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 3:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 3:52:06p A.... 530,432 518.00 K
netman.dll Mon Aug 22 2005 10:29:46a A.... 197,632 193.00 K
pngfilt.dll Fri Sep 2 2005 3:52:06p A.... 39,424 38.50 K
quartz.dll Mon Aug 29 2005 7:54:26p A.... 1,287,168 1.23 M
rnbovdd.dll Mon Oct 24 2005 11:42:42a A.... 18,432 18.00 K
rsftsc~1.dll Tue Nov 1 2005 5:35:16p A.... 45,056 44.00 K
shdocvw.dll Fri Sep 2 2005 3:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 7:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 3:52:06p A.... 473,600 462.50 K
snti386.dll Mon Oct 24 2005 11:42:42a A.... 50,176 49.00 K
umpnpmgr.dll Mon Aug 22 2005 7:35:42p A.... 123,392 120.50 K
urlmon.dll Fri Sep 2 2005 3:52:06p A.... 608,768 594.50 K
wininet.dll Fri Sep 2 2005 3:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 5:41:54p A.... 291,840 285.00 K
wrlogo~1.dll Mon Oct 24 2005 12:19:50p A.... 492,544 481.00 K
wrlzma.dll Mon Oct 24 2005 12:19:46p A.... 17,920 17.50 K

33 items found: 33 files (1 H/S), 0 directories.
Total of file sizes: 23,958,422 bytes 22.85 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
trj_nt~1.tmp Mon Nov 14 2005 11:37:24p A.... 1,688 1.65 K

1 item found: 1 file, 0 directories.
Total of file sizes: 1,688 bytes 1.65 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 608F-C486

Directory of C:\WINDOWS\System32

11/13/2005 03:47 PM 233,874 gpn2l35o1.dll
11/08/2005 05:21 PM <DIR> dllcache
10/23/2005 01:39 PM <DIR> Microsoft
1 File(s) 233,874 bytes
2 Dir(s) 97,425,190,912 bytes free



hope its clean
:thumbsup:

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:43 PM

Posted 15 November 2005 - 12:00 PM

I think you have some garbage files still there.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Extra note... after reboot and logging in, normally a screen will pop up and perform the rest of the fix and notepad opens automatically afterwards.

If after the reboot the desktop icons don't dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
Let it run and notepad (log.txt) will open then.
Copy and paste the contents of it in your next reply with a new hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:43 PM

Posted 24 November 2005 - 06:11 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users