Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeated Look2me Infestations


  • Please log in to reply
20 replies to this topic

#1 Gem

Gem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Santa Maria, California
  • Local time:03:17 PM

Posted 24 November 2005 - 12:35 AM

Hi Folks,

For a few days now I have been diligently battling Look2me malware. I have followed many of the pinned topics and bleepingcomputer-posted responses to users in this forum and I am not yet rid of this infection. I am having repeat reinfestations on reboot, with or without network connection and in and out of Safe Mode; though the latter may be due in part to my varied scanning sequences. I have slow system response and multple pop-ups. I am confident winlogon is the root of this particular evil; the referenced filename frequently changes on boot, and now there are multiple instances in HTJ boot logs.

This is my first time posting at any PC support forum, so please bear with me if I have overlooked some essential detail.

I have used the following utilities per various pinned topics / responses with no resolution as of yet.

Cleanit (fantastic little utility by the way - glad to have discovered it here, thanks)
Hijackthis
Ad-Ware
Ewido Security Suite (repeatedly detects spyware.Look2me infection / detects 2-4 hits now on normal logon)
FxSpL2Me.exe (found nothing)
Kill2me.exe (found nothing in safe mode. Also ran in normal mode allowing the look2me to remain resident on detection by ewido; it remained undetected by kill2me)
NoAdware
SpySweeper
Spybot
Killbox (utility unsuccessful in deleting the ever-changing dll files resident in C:\Windows\system32)
Smitfraud.reg / smitrem.exe (restored my hijacked desktop and related system settings)
AproposFix.exe (ultimately restored my network and device settings & icons which had vanished)
IE-Spyad.exe (no discernable difference after installing this)
s_t_i_n_g_e_r.exe (found nothing)
VX2Finder(126).exe (found nothing)
Microsoft Antispyware (worthless for this infection)

Here is a normal boot HJT log for starters.

Logfile of HijackThis v1.99.1
Scan saved at 8:37:58 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Vicki McCormick\Desktop\pc maint\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Vicki McCormick\Desktop\pc maint\HijackThis.exe /startupscan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\sncur32.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\p0n8la5u1d.dll
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\p0n8la5u1d.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I must admit this has been an interesting challenge and I am learning much - I think I like it a little (shhh). I can say that as my data is completely backed up. I could easily reformat but where is the learning curve in that?

Thank you very much, and Happy Thanksgiving and God bless!

Gem
And he said, how can I except some man should guide me? -- Acts 8:31a

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 November 2005 - 04:26 AM

Hi GEM and Welcome to the Bleeping Computer!

I do like your attitude! :thumbsup:

Please Download the l2mfix from
http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

#3 Gem

Gem
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Santa Maria, California

Posted 24 November 2005 - 11:13 AM

Good morning,

I followed the above instructions and here is the new log.

L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ktr4l79q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\p0n8la5u1d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7BA26894-AEAD-0F31-9DF0-DE8F780E706C}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{C41762BD-4C09-401B-ABAE-64D71108A59D}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{CB5C47E9-B33A-4479-8687-DE41414D9009}"=""
"{E263F825-357E-4CE3-8EFA-8874C339471C}"=""
"{D7DE6C82-D9A1-45ED-A089-45692372AE61}"=""
"{A76F4F4F-A3C7-4F0C-A390-E1AF75853758}"=""
"{1A97D855-7A34-4AEE-8D9D-DC8D5A7F9466}"=""
"{F62EA7C7-8506-4A15-A50B-D430D978B773}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C41762BD-4C09-401B-ABAE-64D71108A59D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C41762BD-4C09-401B-ABAE-64D71108A59D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C41762BD-4C09-401B-ABAE-64D71108A59D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C41762BD-4C09-401B-ABAE-64D71108A59D}\InprocServer32]
@="C:\\WINDOWS\\system32\\gnedit.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CB5C47E9-B33A-4479-8687-DE41414D9009}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB5C47E9-B33A-4479-8687-DE41414D9009}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB5C47E9-B33A-4479-8687-DE41414D9009}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB5C47E9-B33A-4479-8687-DE41414D9009}\InprocServer32]
@="C:\\WINDOWS\\system32\\savsvc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E263F825-357E-4CE3-8EFA-8874C339471C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E263F825-357E-4CE3-8EFA-8874C339471C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E263F825-357E-4CE3-8EFA-8874C339471C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E263F825-357E-4CE3-8EFA-8874C339471C}\InprocServer32]
@="C:\\WINDOWS\\system32\\mjimsg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D7DE6C82-D9A1-45ED-A089-45692372AE61}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DE6C82-D9A1-45ED-A089-45692372AE61}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DE6C82-D9A1-45ED-A089-45692372AE61}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DE6C82-D9A1-45ED-A089-45692372AE61}\InprocServer32]
@="C:\\WINDOWS\\system32\\saftpub.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A76F4F4F-A3C7-4F0C-A390-E1AF75853758}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A76F4F4F-A3C7-4F0C-A390-E1AF75853758}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A76F4F4F-A3C7-4F0C-A390-E1AF75853758}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A76F4F4F-A3C7-4F0C-A390-E1AF75853758}\InprocServer32]
@="C:\\WINDOWS\\system32\\tUpi32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1A97D855-7A34-4AEE-8D9D-DC8D5A7F9466}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A97D855-7A34-4AEE-8D9D-DC8D5A7F9466}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A97D855-7A34-4AEE-8D9D-DC8D5A7F9466}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A97D855-7A34-4AEE-8D9D-DC8D5A7F9466}\InprocServer32]
@="C:\\WINDOWS\\system32\\MJC42ENU.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F62EA7C7-8506-4A15-A50B-D430D978B773}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F62EA7C7-8506-4A15-A50B-D430D978B773}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F62EA7C7-8506-4A15-A50B-D430D978B773}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F62EA7C7-8506-4A15-A50B-D430D978B773}\InprocServer32]
@="C:\\WINDOWS\\system32\\izxsap.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Fri Sep 2 2005 3:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 3:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 5:53:42p A.... 2,067,968 1.97 M
danim.dll Fri Sep 2 2005 3:52:04p A.... 1,053,696 1.00 M
dfshim.dll Fri Sep 23 2005 7:28:38a A.... 83,456 81.50 K
dxtrans.dll Fri Sep 2 2005 3:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 3:52:04p ..... 55,808 54.50 K
g0220a~1.dll Thu Nov 24 2005 7:54:04a ..S.R 235,890 230.36 K
gdi32.dll Wed Oct 5 2005 7:09:36p A.... 280,064 273.50 K
iepeers.dll Fri Sep 2 2005 3:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 3:52:04p A.... 96,256 94.00 K
ktr4l7~1.dll Wed Nov 23 2005 8:34:10p ..S.R 235,670 230.14 K
linkinfo.dll Wed Aug 31 2005 5:41:54p A.... 19,968 19.50 K
mscoree.dll Fri Sep 23 2005 7:28:52a A.... 270,848 264.50 K
mscorier.dll Fri Sep 23 2005 7:28:52a A.... 150,016 146.50 K
mscories.dll Fri Sep 23 2005 7:28:52a A.... 74,240 72.50 K
mshtml.dll Tue Oct 4 2005 5:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 3:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 3:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 3:52:06p A.... 530,432 518.00 K
n84s0i~1.dll Wed Nov 23 2005 7:30:08p ..S.R 236,963 231.41 K
pngfilt.dll Fri Sep 2 2005 3:52:06p A.... 39,424 38.50 K
px.dll Wed Sep 14 2005 11:17:44a ..... 462,848 452.00 K
pxdrv.dll Wed Sep 14 2005 11:17:44a ..... 319,488 312.00 K
pxmas.dll Wed Sep 14 2005 11:17:44a ..... 143,360 140.00 K
pxwave.dll Wed Sep 14 2005 11:17:44a ..... 286,720 280.00 K
quartz.dll Mon Aug 29 2005 7:54:26p A.... 1,287,168 1.23 M
shdocvw.dll Fri Sep 2 2005 3:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 7:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 3:52:06p A.... 473,600 462.50 K
sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K
urlmon.dll Fri Sep 2 2005 3:52:06p A.... 608,768 594.50 K
vxblock.dll Wed Sep 14 2005 11:17:44a ..... 28,672 28.00 K
wininet.dll Fri Sep 2 2005 3:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 5:41:54p A.... 291,840 285.00 K
wrlogo~1.dll Wed Nov 9 2005 11:45:56a A.... 492,544 481.00 K
wrlzma.dll Wed Nov 9 2005 11:45:52a A.... 17,920 17.50 K
__dele~1.dll Thu Nov 24 2005 7:54:04a A.... 235,670 230.14 K

38 items found: 38 files (3 H/S), 0 directories.
Total of file sizes: 26,028,609 bytes 24.82 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Programs
Volume Serial Number is A068-3FAC

Directory of C:\WINDOWS\System32

11/24/2005 07:54 AM 235,890 g0220afoed2c0.dll
11/23/2005 08:34 PM 235,670 ktr4l79q1.dll
11/23/2005 07:30 PM 236,963 n84s0ih7e84.dll
11/23/2005 02:45 PM <DIR> dllcache
11/19/2005 01:39 PM <DIR> Microsoft
3 File(s) 708,523 bytes
2 Dir(s) 22,317,658,112 bytes free

That's a lot of data. So, what do you think is going on here? I wish I knew more about this stuff and I intend to, it's incredibly interesting. I'm such a geek.

Thank you for the help - Please do enjoy your holiday and don't miss it.

Gem curtsies

Edited by Gem, 24 November 2005 - 11:17 AM.

And he said, how can I except some man should guide me? -- Acts 8:31a

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 November 2005 - 11:26 AM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then it will ask for a password enter bye (lowercase) then hit enter.

Your desktop and icons will disappear (this is normal).

L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.

Press any key to reboot.

After the reboot notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.


Its a genuine infestation of the OS by the l2m bug,most indicates the locations in which the bug resides and how it manages to reinfect the system.

#5 Gem

Gem
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Santa Maria, California
  • Local time:03:17 PM

Posted 24 November 2005 - 11:52 AM

Alright, here is the l2m log:

Starting Beta Fix 112305
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Setting Directory
C:\Documents and Settings\Vicki McCormick\Desktop\l2mfix
C:\Documents and Settings\Vicki McCormick\Desktop\l2mfix

Running From:
C:\Documents and Settings\Vicki McCormick\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 584 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 744 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 308 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\__delete_on_reboot__izxsap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g0220afoed2c0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktr4l79q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n84s0ih7e84.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\__delete_on_reboot__izxsap.dll
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__izxsap.dll
deleting: C:\WINDOWS\system32\g0220afoed2c0.dll
Successfully Deleted: C:\WINDOWS\system32\g0220afoed2c0.dll
deleting: C:\WINDOWS\system32\ktr4l79q1.dll
Successfully Deleted: C:\WINDOWS\system32\ktr4l79q1.dll
deleting: C:\WINDOWS\system32\n84s0ih7e84.dll
Successfully Deleted: C:\WINDOWS\system32\n84s0ih7e84.dll


Zipping up files for submission:
adding: g0220afoed2c0.dll (164 bytes security) (deflated 5%)
adding: ktr4l79q1.dll (164 bytes security) (deflated 5%)
adding: n84s0ih7e84.dll (164 bytes security) (deflated 6%)
adding: __delete_on_reboot__izxsap.dll (164 bytes security) (deflated 5%)
zip warning: name not matched: *.tmp

zip error: Nothing to do! (backup.zip)
adding: clear.reg (164 bytes security) (deflated 60%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
adding: 01_report.txt (164 bytes security) (deflated 66%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: flag.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 71%)
adding: readme.txt (164 bytes security) (deflated 52%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: sec.txt (164 bytes security) (stored 0%)
adding: test.txt (164 bytes security) (deflated 49%)
adding: test2.txt (164 bytes security) (deflated 42%)
adding: test3.txt (164 bytes security) (deflated 42%)
adding: test5.txt (164 bytes security) (deflated 42%)
adding: xfind.txt (164 bytes security) (deflated 42%)
adding: backregs/1A97D855-7A34-4AEE-8D9D-DC8D5A7F9466.reg (164 bytes security) (deflated 70%)
adding: backregs/A76F4F4F-A3C7-4F0C-A390-E1AF75853758.reg (164 bytes security) (deflated 70%)
adding: backregs/C41762BD-4C09-401B-ABAE-64D71108A59D.reg (164 bytes security) (deflated 70%)
adding: backregs/CB5C47E9-B33A-4479-8687-DE41414D9009.reg (164 bytes security) (deflated 70%)
adding: backregs/D7DE6C82-D9A1-45ED-A089-45692372AE61.reg (164 bytes security) (deflated 70%)
adding: backregs/E263F825-357E-4CE3-8EFA-8874C339471C.reg (164 bytes security) (deflated 70%)
adding: backregs/F62EA7C7-8506-4A15-A50B-D430D978B773.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: __delete_on_reboot__izxsap.dll
deleting local copy: g0220afoed2c0.dll
deleting local copy: ktr4l79q1.dll
deleting local copy: n84s0ih7e84.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ktr4l79q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\p0n8la5u1d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\__delete_on_reboot__izxsap.dll
C:\WINDOWS\system32\g0220afoed2c0.dll
C:\WINDOWS\system32\ktr4l79q1.dll
C:\WINDOWS\system32\n84s0ih7e84.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{C41762BD-4C09-401B-ABAE-64D71108A59D}"=-
"{CB5C47E9-B33A-4479-8687-DE41414D9009}"=-
"{E263F825-357E-4CE3-8EFA-8874C339471C}"=-
"{D7DE6C82-D9A1-45ED-A089-45692372AE61}"=-
"{A76F4F4F-A3C7-4F0C-A390-E1AF75853758}"=-
"{1A97D855-7A34-4AEE-8D9D-DC8D5A7F9466}"=-
"{F62EA7C7-8506-4A15-A50B-D430D978B773}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C41762BD-4C09-401B-ABAE-64D71108A59D}]
[-HKEY_CLASSES_ROOT\CLSID\{CB5C47E9-B33A-4479-8687-DE41414D9009}]
[-HKEY_CLASSES_ROOT\CLSID\{E263F825-357E-4CE3-8EFA-8874C339471C}]
[-HKEY_CLASSES_ROOT\CLSID\{D7DE6C82-D9A1-45ED-A089-45692372AE61}]
[-HKEY_CLASSES_ROOT\CLSID\{A76F4F4F-A3C7-4F0C-A390-E1AF75853758}]
[-HKEY_CLASSES_ROOT\CLSID\{1A97D855-7A34-4AEE-8D9D-DC8D5A7F9466}]
[-HKEY_CLASSES_ROOT\CLSID\{F62EA7C7-8506-4A15-A50B-D430D978B773}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Here is the HJT boot log:

Logfile of HijackThis v1.99.1
Scan saved at 8:50:31 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Vicki McCormick\Desktop\pc maint\HijackThis.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Vicki McCormick\Desktop\pc maint\HijackThis.exe /startupscan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\ktr4l79q1.dll (file missing)
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\p0n8la5u1d.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks again.
And he said, how can I except some man should guide me? -- Acts 8:31a

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 November 2005 - 12:24 PM

Please Update SpySweeper and Ewido with the latest definitions.

Configure SpySweeper as such
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    [list]
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
Once those Settings are in place,Scan the System with SpySweeper and save that session log for the next post.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...torial=62#winxp


Locate and Delete these 2 folders

C:\WINDOWS\system32\nfomon

C:\WINDOWS\system32\vidmon


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe

O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\ktr4l79q1.dll (file missing)

O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\p0n8la5u1d.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Now,lets scan with Ewido but please make sure ALL OTHER WINDOWS and BROWSERS are CLOSED

Scan the entire System with Ewido-> Clean all it finds and be sure to click the tab to save a report.


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply>>Close>>Follow the Prompts to Restart!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates

Post back with a fresh HijackThis log and the reports from SpySweeper-> Ewido and Panda

You may need to post the HJT log and SpySweeper log in one post and the Ewido and Panda reports in another since one post wont hold all that info.

#7 Gem

Gem
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Santa Maria, California

Posted 24 November 2005 - 01:23 PM

I'm here from my laptop and my desktop (the PC involved) is currently at the following step:

Locate and Delete these 2 folders

C:\WINDOWS\system32\nfomon
C:\WINDOWS\system32\vidmon

I have double checked the above steps and am on track, but the two folders are not visible to me even with the above folder settings. I scanned with HJT and it indicates they are there. I can't post a log without rebooting the desktop with network connections. Please advise.

Gem
And he said, how can I except some man should guide me? -- Acts 8:31a

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 November 2005 - 01:38 PM

Dont worry about the 2 folders for now,just run the rest of the fix.

Its possible the folders were allready deleted.

We will get them in the next round if they still exist

#9 Gem

Gem
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Santa Maria, California
  • Local time:03:17 PM

Posted 24 November 2005 - 03:07 PM

Alrighty, here we are!

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:02:18 PM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Vicki McCormick\Desktop\pc maint\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Vicki McCormick\Desktop\pc maint\HijackThis.exe /startupscan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Spy Sweeper Log:

********
9:39 AM: | Start of Session, Thursday, November 24, 2005 |
9:39 AM: Spy Sweeper started
9:39 AM: Sweep initiated using definitions version 574
9:39 AM: Starting Memory Sweep
9:41 AM: Memory Sweep Complete, Elapsed Time: 00:02:04
9:41 AM: Starting Registry Sweep
9:42 AM: Found Adware: icannnews
9:42 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\shareddlls\ (6 subtraces) (ID = 359347)
9:42 AM: Found Adware: delfin
9:42 AM: HKLM\software\vidmon\ (3 subtraces) (ID = 890155)
9:42 AM: Found Adware: dollarrevenue
9:42 AM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
9:42 AM: HKU\S-1-5-21-1004336348-1450960922-682003330-1003\software\vidmon\ (1 subtraces) (ID = 890125)
9:42 AM: Registry Sweep Complete, Elapsed Time:00:00:21
9:42 AM: Starting Cookie Sweep
9:42 AM: Found Spy Cookie: tribalfusion cookie
9:42 AM: vicki mccormick@tribalfusion[1].txt (ID = 3589)
9:42 AM: Found Spy Cookie: zedo cookie
9:42 AM: vicki mccormick@zedo[2].txt (ID = 3762)
9:42 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:42 AM: Starting File Sweep
9:42 AM: c:\documents and settings\all users\application data\vidmon (1 subtraces) (ID = -2147468685)
9:42 AM: c:\windows\system32\vidmon (ID = -2147468683)
9:42 AM: c:\documents and settings\all users\application data\nfo (17 subtraces) (ID = -2147468687)
9:42 AM: c:\windows\system32\nfomon (1 subtraces) (ID = -2147468684)
9:42 AM: Found Adware: look2me
9:42 AM: sncur32.dll (ID = 159)
9:43 AM: Found Trojan Horse: trojan-backdoor-us15info
9:43 AM: tool3.exe (ID = 183857)
9:43 AM: Found Adware: spysheriff
9:43 AM: secure32.html (ID = 184319)
9:43 AM: secure32.html (ID = 184319)
9:44 AM: mon1920.dbd (ID = 57692)
9:44 AM: mon2007.dbd (ID = 57693)
9:45 AM: mon1215.dbd (ID = 57687)
9:48 AM: 538.dfn (ID = 133429)
9:49 AM: tool4.exe (ID = 183857)
9:49 AM: tool5.exe (ID = 183857)
9:49 AM: Found Adware: sexfiles dialers
9:49 AM: dating.lnk (ID = 75396)
9:49 AM: mon0204.ddx (ID = 57680)
9:49 AM: mon0504.ddx (ID = 57680)
9:49 AM: mon0904.ddx (ID = 57684)
9:49 AM: mon0412.ddx (ID = 57680)
9:49 AM: mon0106.ddx (ID = 57679)
9:49 AM: mon0315.ddx (ID = 57680)
9:49 AM: mon1204.ddx (ID = 57680)
9:49 AM: mon1909.ddx (ID = 57684)
9:49 AM: mon1125.ddx (ID = 57685)
9:51 AM: Warning: Invalid Stream
9:51 AM: File Sweep Complete, Elapsed Time: 00:09:24
9:51 AM: Full Sweep has completed. Elapsed time 00:11:57
9:51 AM: Traces Found: 60
9:52 AM: Removal process initiated
9:52 AM: Quarantining All Traces: icannnews
9:52 AM: Quarantining All Traces: look2me
9:52 AM: Quarantining All Traces: spysheriff
9:52 AM: Quarantining All Traces: trojan-backdoor-us15info
9:52 AM: Quarantining All Traces: delfin
9:52 AM: Quarantining All Traces: dollarrevenue
9:52 AM: Quarantining All Traces: sexfiles dialers
9:52 AM: Quarantining All Traces: tribalfusion cookie
9:52 AM: Quarantining All Traces: zedo cookie
9:52 AM: Removal process completed. Elapsed time 00:00:18
********
8:42 PM: | Start of Session, Sunday, November 20, 2005 |
8:42 PM: Spy Sweeper started
8:42 PM: Sweep initiated using definitions version 575
8:42 PM: Starting Memory Sweep
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 PM: Found Adware: look2me
8:43 PM: Detected running threat: C:\WINDOWS\system32\bsotvid.dll (ID = 163672)
8:43 PM: Detected running threat: C:\WINDOWS\system32\hwetwiz.dll (ID = 163672)
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 PM: Memory Sweep Complete, Elapsed Time: 00:02:05
8:44 PM: Starting Registry Sweep
8:45 PM: Found Adware: delfin
8:45 PM: HKCR\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610}\ (8 subtraces) (ID = 124839)
8:45 PM: HKCR\interface\{41700749-a109-4254-af13-be54011e8783}\ (8 subtraces) (ID = 124840)
8:45 PM: HKLM\software\classes\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610}\ (8 subtraces) (ID = 124843)
8:45 PM: HKLM\software\classes\interface\{41700749-a109-4254-af13-be54011e8783}\ (8 subtraces) (ID = 124844)
8:45 PM: HKLM\software\classes\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073}\ (9 subtraces) (ID = 124845)
8:45 PM: HKCR\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073}\ (9 subtraces) (ID = 124899)
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: Found Trojan Horse: trojan-backdoor-us15info
8:45 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\ || shell (ID = 762897)
8:45 PM: HKLM\software\vidmon\ (3 subtraces) (ID = 890155)
8:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\webdp\ (2 subtraces) (ID = 890173)
8:45 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\policies\ || dllname (ID = 911234)
8:45 PM: Found Adware: dollarrevenue
8:45 PM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
8:45 PM: Found Adware: command
8:45 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
8:45 PM: HKLM\software\microsoft\windows\currentversion\run\ || timessquare (ID = 1004206)
8:45 PM: Found Adware: adtech2005
8:45 PM: HKLM\software\microsoft\windows\currentversion\run\ || adtech2005 (ID = 1005415)
8:45 PM: Found Adware: findthewebsiteyouneed hijacker
8:45 PM: HKU\S-1-5-21-1004336348-1450960922-682003330-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
8:45 PM: HKU\S-1-5-21-1004336348-1450960922-682003330-1003\software\vidmon\ (1 subtraces) (ID = 890125)
8:45 PM: Registry Sweep Complete, Elapsed Time:00:00:23
8:45 PM: Starting Cookie Sweep
8:45 PM: Found Spy Cookie: 2o7.net cookie
8:45 PM: vicki mccormick@2o7[1].txt (ID = 1957)
8:45 PM: Found Spy Cookie: yieldmanager cookie
8:45 PM: vicki mccormick@ad.yieldmanager[1].txt (ID = 3751)
8:45 PM: Found Spy Cookie: adknowledge cookie
8:45 PM: vicki mccormick@adknowledge[2].txt (ID = 2072)
8:45 PM: Found Spy Cookie: specificclick.com cookie
8:45 PM: vicki mccormick@adopt.specificclick[2].txt (ID = 3400)
8:45 PM: Found Spy Cookie: advertising cookie
8:45 PM: vicki mccormick@advertising[2].txt (ID = 2175)
8:45 PM: Found Spy Cookie: ask cookie
8:45 PM: vicki mccormick@ask[1].txt (ID = 2245)
8:45 PM: Found Spy Cookie: atlas dmt cookie
8:45 PM: vicki mccormick@atdmt[1].txt (ID = 2253)
8:45 PM: Found Spy Cookie: delfinproject cookie
8:45 PM: vicki mccormick@delfinproject[2].txt (ID = 2509)
8:45 PM: Found Spy Cookie: clickandtrack cookie
8:45 PM: vicki mccormick@hits.clickandtrack[2].txt (ID = 2397)
8:45 PM: vicki mccormick@msnportal.112.2o7[1].txt (ID = 1958)
8:45 PM: Found Spy Cookie: realmedia cookie
8:45 PM: vicki mccormick@realmedia[2].txt (ID = 3235)
8:45 PM: Found Spy Cookie: trafficmp cookie
8:45 PM: vicki mccormick@trafficmp[1].txt (ID = 3581)
8:45 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:45 PM: Starting File Sweep
8:45 PM: c:\documents and settings\all users\application data\vidmon (1 subtraces) (ID = -2147468685)
8:45 PM: c:\windows\system32\vidmon (ID = -2147468683)
8:45 PM: c:\windows\system32\nfomon (1 subtraces) (ID = -2147468684)
8:45 PM: c:\documents and settings\all users\application data\nfo (17 subtraces) (ID = -2147468687)
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: f4641ed5-315c-4c48-a803-69c4e9 (ID = 144945)
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: iu41_qcx.dll (ID = 163672)
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 PM: hwetwiz.dll (ID = 163672)
8:46 PM: bsotvid.dll (ID = 163672)
8:46 PM: mb43dmod.dll (ID = 163672)
8:47 PM: Found Adware: apropos
8:47 PM: atmtd.dll._ (ID = 166754)
8:47 PM: tool3[1].txt (ID = 183857)
8:47 PM: tool3.exe (ID = 183857)
8:47 PM: Found Adware: spysheriff
8:47 PM: secure32.html (ID = 184319)
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 PM: secure32.html (ID = 184319)
8:48 PM: wingenerics.dll (ID = 50187)
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: 50625d98-5119-45d8-a909-c7c563 (ID = 144946)
8:48 PM: atmtd.dll (ID = 166754)
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: Found Adware: targetsaver
8:49 PM: tsupdate2[1].ini (ID = 193498)
8:49 PM: mon1920.dbd (ID = 57692)
8:49 PM: mon2007.dbd (ID = 57693)
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: mon1215.dbd (ID = 57687)
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: hrn6055se.dll (ID = 163672)
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: desktop.html (ID = 178574)
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: 538.dfn (ID = 133429)
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: u8ruli9918.dll (ID = 163672)
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 PM: tool4[1].txt (ID = 183857)
8:55 PM: tool4.exe (ID = 183857)
8:55 PM: tool5[1].txt (ID = 183857)
8:55 PM: tool5.exe (ID = 183857)
8:56 PM: Found Adware: sexfiles dialers
8:56 PM: dating.lnk (ID = 75396)
8:56 PM: mon0204.ddx (ID = 57682)
8:56 PM: mon0504.ddx (ID = 57682)
8:56 PM: mon0904.ddx (ID = 57684)
8:56 PM: mon0412.ddx (ID = 57682)
8:56 PM: mon0106.ddx (ID = 57679)
8:56 PM: mon0315.ddx (ID = 57682)
8:56 PM: mon1204.ddx (ID = 57682)
8:56 PM: mon1909.ddx (ID = 57684)
8:56 PM: mon1125.ddx (ID = 57685)
8:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 PM: File Sweep Complete, Elapsed Time: 00:12:24
8:57 PM: Full Sweep has completed. Elapsed time 00:15:03
8:57 PM: Traces Found: 157
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:05 PM: Memory Shield: Found: Memory-resident threat look2me, version 1.0.0.0
9:05 PM: Detected running threat: look2me
9:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:36 AM: Your spyware definitions have been updated.
9:37 AM: Processing Startup Alerts
9:37 AM: Allowed Startup entry: HijackThis startup scan
9:37 AM: Processing Internet Explorer Favorites Alerts
9:37 AM: Allowed IE Favorite: BleepingComputer.com (Powered by Invision Power Board)
9:37 AM: Ignoring scheduled sweep: wrSpySweeperTrialSweep
9:39 AM: | End of Session, Thursday, November 24, 2005 |
********
8:41 PM: | Start of Session, Sunday, November 20, 2005 |
8:41 PM: Spy Sweeper started
8:42 PM: Your spyware definitions have been updated.
8:42 PM: | End of Session, Sunday, November 20, 2005 |
And he said, how can I except some man should guide me? -- Acts 8:31a

#10 Gem

Gem
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Santa Maria, California

Posted 24 November 2005 - 03:11 PM

Ewido Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:18:37 AM, 11/24/2005
+ Report-Checksum: AD378A86

+ Scan result:

C:\Documents and Settings\Vicki McCormick\Cookies\vicki mccormick@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Desktop\l2mfix\backup.zip/g0220afoed2c0.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Desktop\l2mfix\backup.zip/ktr4l79q1.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Desktop\l2mfix\backup.zip/n84s0ih7e84.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Desktop\l2mfix\backup.zip/__delete_on_reboot__izxsap.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Local Settings\Temp\Cookies\vicki mccormick@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Local Settings\Temp\Cookies\vicki mccormick@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Local Settings\Temp\Cookies\vicki mccormick@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Local Settings\Temp\Cookies\vicki mccormick@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Local Settings\Temp\Cookies\vicki mccormick@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Local Settings\Temp\Cookies\vicki mccormick@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Local Settings\Temp\Cookies\vicki mccormick@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Local Settings\Temp\Cookies\vicki mccormick@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Vicki McCormick\Local Settings\Temp\Cookies\vicki mccormick@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup


::Report End

Panda Log:


Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Vicki McCormick\Favorites\LIVING\Find a Degree.lnk
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Vicki McCormick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-e18f163-279a29b0.zip[Matrix.class]
And he said, how can I except some man should guide me? -- Acts 8:31a

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 November 2005 - 03:21 PM

Im still not convinced all the baddies are gone.

If you dont mind,Id like to look just a bit deeper inside the System.


Download Pocket KillBox from here:
http://www.atribune.org/downloads/KillBox.exe


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)


Open Pocket Killbox and Copy each entry below into it,one at a time

C:\WINDOWS\system32\nfomon

C:\WINDOWS\system32\vidmon

C:\Documents and Settings\Vicki McCormick\Favorites\LIVING\Find a Degree.lnk

C:\Documents and Settings\Vicki McCormick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-e18f163-279a29b0.zip



As you paste each entry into Killbox,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Click the Red Circle with the White X in the Middle to Delete


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and Post the contents of the WinPFind Scan.

#12 Gem

Gem
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Santa Maria, California
  • Local time:03:17 PM

Posted 25 November 2005 - 03:42 AM

Ok picking up where I left off yesterday, here is my wpfind log.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 3/31/2003 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 3/31/2003 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/24/2005 11:19:54 PM S 2048 C:\WINDOWS\bootstat.dat
11/23/2005 3:31:50 PM H 24 C:\WINDOWS\p2Yvl
11/19/2005 1:24:48 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
11/24/2005 10:02:10 AM HS 5120 C:\WINDOWS\$NtServicePackUninstall$\Thumbs.db
11/19/2005 4:19:18 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
11/19/2005 4:23:56 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
11/19/2005 4:23:56 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
11/19/2005 6:18:30 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
11/19/2005 6:19:22 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat
11/19/2005 3:58:54 PM S 64 C:\WINDOWS\CSC\00000001
11/19/2005 3:32:52 PM S 64 C:\WINDOWS\CSC\00000002
11/19/2005 1:24:54 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
11/19/2005 1:25:44 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
11/19/2005 2:04:04 PM H 0 C:\WINDOWS\inf\oem0.inf
11/24/2005 11:32:56 AM H 0 C:\WINDOWS\LastGood\INF\oem7.inf
11/24/2005 11:32:56 AM H 0 C:\WINDOWS\LastGood\INF\oem7.PNF
11/19/2005 1:24:54 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
11/19/2005 1:25:18 PM RHS 727 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_1.cab
11/19/2005 1:25:18 PM RHS 19854 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_2.cab
11/19/2005 1:25:18 PM RHS 243124 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_3.cab
11/19/2005 1:58:04 PM RHS 305145 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_7.cab
11/19/2005 2:00:16 PM RHS 68327 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_8.cab
11/19/2005 1:26:22 PM H 233472 C:\WINDOWS\repair\ntuser.dat
11/19/2005 1:24:48 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
11/19/2005 1:24:54 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
11/19/2005 1:24:48 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
11/19/2005 1:24:48 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
11/19/2005 1:24:48 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
11/19/2005 1:24:54 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
11/19/2005 1:24:48 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 5:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/24/2005 11:20:02 PM H 16384 C:\WINDOWS\system32\config\default.LOG
11/24/2005 11:20:32 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/24/2005 11:19:56 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
11/24/2005 11:20:34 PM H 86016 C:\WINDOWS\system32\config\software.LOG
11/24/2005 11:20:00 PM H 909312 C:\WINDOWS\system32\config\system.LOG
11/19/2005 5:12:46 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
11/19/2005 5:12:46 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
11/19/2005 4:10:16 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
11/19/2005 5:14:16 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
11/19/2005 2:04:22 PM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
11/19/2005 2:04:22 PM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
11/19/2005 2:04:22 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
11/19/2005 2:04:22 PM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
11/19/2005 5:14:16 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
11/19/2005 1:25:20 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
11/19/2005 1:25:20 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
11/19/2005 1:25:20 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
11/19/2005 1:24:56 PM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
11/19/2005 5:14:16 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
11/19/2005 1:26:20 PM HS 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
11/19/2005 1:26:20 PM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
11/19/2005 1:26:20 PM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
11/19/2005 1:26:20 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
11/19/2005 1:26:20 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
11/19/2005 3:05:22 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\61560087-e002-4ec4-b67c-099abc6e4d2a
11/19/2005 3:05:22 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
11/19/2005 1:39:50 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\76449d05-6ff5-40be-aa1e-679611cccede
11/19/2005 1:39:50 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
11/24/2005 11:18:30 PM H 6 C:\WINDOWS\Tasks\SA.DAT
11/21/2005 8:58:02 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
11/21/2005 8:58:02 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
11/23/2005 2:12:22 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\07WXVE9A\desktop.ini
11/23/2005 2:12:22 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\M9JTNNUM\desktop.ini
11/23/2005 2:12:22 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\O5U745M3\desktop.ini
11/23/2005 2:12:22 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y1QZMJQP\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 8/26/2005 6:14:42 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/19/2005 1:26:20 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/19/2005 5:14:16 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
11/19/2005 1:26:20 PM HS 84 C:\Documents and Settings\Vicki McCormick\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
11/19/2005 5:14:16 AM HS 62 C:\Documents and Settings\Vicki McCormick\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

Norton Ghost 9.0 C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
HijackThis startup scan C:\Documents and Settings\Vicki McCormick\Desktop\pc maint\HijackThis.exe /startupscan

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 0
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/25/2005 12:02:11 AM
And he said, how can I except some man should guide me? -- Acts 8:31a

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 November 2005 - 06:25 AM

Looking much better now,just a little rubbish to deal with.


Open Pocket Killbox and Copy each entry below into it,one at a time

C:\WINDOWS\p2Yvl
C:\WINDOWS\SYSTEM32\drivers\etc\hosts

As you paste each entry into Killbox,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"


Click the Red Circle with the White X in the Middle to Delete


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know if you have any troubles getting the Hosts file to install properly and let me know how the PC is running now?

#14 Gem

Gem
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Santa Maria, California

Posted 25 November 2005 - 12:37 PM

Everything appears clean, wonderfully clean. The system is once again fast. I have Ewido, MS Antispyware, NAV, HJT log, and SpySweeper all loading on startup. Should I subscribe to these and leave them or is this overkill.

This infestation was over my head. I'm on the way of the house out again and did this all in a hurry. I'll post back if something comes up later when I'm re-tweaking the system.

Actually, I had just reformatted my hard drive and there was very little installed on the machine. I installed a questionable zipped file with the motherload of all nasties and infected the system myself. Yes, I had scanned the file but it came up clean.

Note to self: After scanning the zip, unzip the zip and scan again, dummy.

Thanks again,

Gem hugs Cretemonster


Gem
And he said, how can I except some man should guide me? -- Acts 8:31a

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 November 2005 - 03:03 PM

One more WinPFind log from Safe Mode please,to assure we accomplished what we set out to do!

Id only keep Nav and Microsoft AntiSpyware but thats just me.


Lets see those WinPFind results and go from there.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users