Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was Spysheriff And Look2me.. Now.. Something..?


  • This topic is locked This topic is locked
8 replies to this topic

#1 gdd

gdd

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 17 February 2006 - 10:25 PM

Hi there guys! I'm impressed with how you can read the logs and actually know what to do, my eyes blur when I try to decipher it!!
Here is what happened and what I've done, if it helps... in bulletpoints, XD

- SpySheriff installs itself and kills windows' firewall
- I google and find your board's topic http://www.bleepingcomputer.com/forums/How...exe-t22402.html and follow instructions,
At step 7.4 "Choose clean," Ewido only has "remove" so I do that.
At step 10 I don't see Spysheriff to uninstall.
- After restarting Ewido pops up instantly saying to clean these other .dll files. I say yes to them all.
- Windows gives me Coooo21a {Fatal System Error} The Windows Logon Process system process terminated unexpectredly with a status of 0X00000003 (0X00000000 0X00000000)
- I follow your Preparation Guide http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
I clean files, run spybot and adaware (the online scans didn't work because of lagging for some reason)
Ran Stinger, got ZoneAlarm, I do get Windows Updates but can't turn on their firewall anymore and ran Hijack.
- Fatal Error goes away and a message says "Windows cannot find 'C:\WINDOWS\inet20010\winlogon.exe'" and I think I deleted it because winlogon.exe is actually in the system32 folder
- Read about start-up programs and run msconfig, I stop ibm00001, winsysban9 and winsysupd9 from running on start up.
- Ewido tells me about Infection.Adaware.look2me so I look it up here and find this post http://www.bleepingcomputer.com/forums/ind...42206&hl=amaena and follow pskelly's instructions.
- After Spysweeper things seem to be sweet, no more pop ups and all, but then an error message says Windows Explorer is having problems and needs to shut down. After that Dr Watson Postmortem Debugger also has to shut down.
Actually just now it said Explorer had to shut down but it didn't. GAH! I am confused!

Sorry about that horrendeous account!! i tried running Adaware but the system kept freezing with those 2 messages, I can't tell if I still have a bug or if I deleted something important!!

here is my Hijackthis report from just now:

Logfile of HijackThis v1.99.1
Scan saved at 3:59:38 p.m., on 18/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [order_Shell] C:\Documents and Settings\Ca\order_jsyr.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\hrrm0591e.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by gdd, 17 February 2006 - 10:36 PM.


BC AdBot (Login to Remove)

 


#2 gdd

gdd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 17 February 2006 - 10:28 PM

And this is my Spy Sweeper log. I hope I've done it all right, I've been doing things wrong this whole weekend! You can delete this message if you don't need this log...

********
1:22 p.m.: | Start of Session, Saturday, 18 February 2006 |
1:22 p.m.: Spy Sweeper started
1:22 p.m.: Sweep initiated using definitions version 611
1:23 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:23 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:23 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:23 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:23 p.m.: Starting Memory Sweep
1:24 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:24 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:24 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:24 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:25 p.m.: The Spy Communication shield has blocked access to:
1:25 p.m.: The Spy Communication shield has blocked access to:
1:25 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:25 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:25 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:25 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:26 p.m.: Memory Sweep Complete, Elapsed Time: 00:02:59
1:26 p.m.: Starting Registry Sweep
1:26 p.m.: Found Trojan Horse: trojan-backdoor-msdcom32
1:26 p.m.: HKCR\clsid\{2c1cd3d7-86ac-4068-93bc-a02304bb8c34}\ (3 subtraces) (ID = 366335)
1:26 p.m.: HKLM\software\classes\clsid\{2c1cd3d7-86ac-4068-93bc-a02304bb8c34}\ (3 subtraces) (ID = 366355)
1:26 p.m.: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || dcom server (ID = 385950)
1:26 p.m.: The Spy Communication shield has blocked access to:
1:26 p.m.: The Spy Communication shield has blocked access to:
1:27 p.m.: Found Trojan Horse: spamrelayer_alpiok
1:27 p.m.: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.exbr (ID = 945548)
1:27 p.m.: Found Adware: cws_secure32.html hijack
1:27 p.m.: HKLM\software\microsoft\internet explorer\main\ || local page (ID = 946024)
1:27 p.m.: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 946025)
1:27 p.m.: HKLM\software\microsoft\internet explorer\main\ || default_page_url (ID = 946027)
1:27 p.m.: Found Adware: command
1:27 p.m.: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
1:27 p.m.: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
1:27 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:27 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:27 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:27 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:27 p.m.: Found Adware: spysheriff
1:27 p.m.: HKU\S-1-5-21-2141412096-702733767-1570645064-1005\software\spysheriff\ (30 subtraces) (ID = 142125)
1:27 p.m.: Found Adware: spywareno! components
1:27 p.m.: HKU\S-1-5-21-2141412096-702733767-1570645064-1005\software\sno2\ (ID = 782236)
1:27 p.m.: HKU\S-1-5-21-2141412096-702733767-1570645064-1005\software\microsoft\internet explorer\main\ || local page (ID = 946022)
1:27 p.m.: HKU\S-1-5-21-2141412096-702733767-1570645064-1005\software\microsoft\internet explorer\main\ || default_page_url (ID = 946026)
1:27 p.m.: Registry Sweep Complete, Elapsed Time:00:01:06
1:27 p.m.: Starting Cookie Sweep
1:27 p.m.: Found Spy Cookie: yieldmanager cookie
1:27 p.m.: narn@ad.yieldmanager[2].txt (ID = 3751)
1:27 p.m.: Found Spy Cookie: adecn cookie
1:27 p.m.: narn@adecn[2].txt (ID = 2063)
1:27 p.m.: Found Spy Cookie: adknowledge cookie
1:27 p.m.: narn@adknowledge[2].txt (ID = 2072)
1:27 p.m.: Found Spy Cookie: hbmediapro cookie
1:27 p.m.: narn@adopt.hbmediapro[2].txt (ID = 2768)
1:27 p.m.: Found Spy Cookie: belnk cookie
1:27 p.m.: narn@belnk[1].txt (ID = 2292)
1:27 p.m.: narn@dist.belnk[2].txt (ID = 2293)
1:27 p.m.: Found Spy Cookie: paypopup cookie
1:27 p.m.: narn@paypopup[1].txt (ID = 3119)
1:27 p.m.: narn@popunder.paypopup[1].txt (ID = 3120)
1:27 p.m.: Cookie Sweep Complete, Elapsed Time: 00:00:01
1:27 p.m.: Starting File Sweep
1:27 p.m.: c:\program files\network monitor (ID = -2147459771)
1:28 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:28 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:28 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:28 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:30 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:30 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:30 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:30 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:31 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:31 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:31 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:31 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:32 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:32 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:32 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:32 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:33 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:33 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:33 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:33 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:34 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:34 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:34 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:34 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:35 p.m.: Found Adware: spysheriff fakealert
1:35 p.m.: secure32.html (ID = 184319)
1:36 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:36 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:36 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:36 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:37 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:37 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:37 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:37 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:38 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:38 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:38 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:38 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:39 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:39 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:39 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:39 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:40 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:40 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:40 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:40 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:41 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:41 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:41 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:41 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:42 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:42 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:42 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:42 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:43 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:43 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:43 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:43 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:43 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:43 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:43 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:43 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:44 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:44 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:44 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:44 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:44 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:44 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:44 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:44 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:45 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:45 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:45 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:45 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:45 p.m.: uninstall_nmon.vbs (ID = 231442)
1:45 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:45 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:45 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:45 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:46 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:46 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:46 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:46 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:46 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:46 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:46 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:46 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:47 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:47 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:47 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:47 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:48 p.m.: Found Trojan Horse: trojan-backdoor-us15info
1:48 p.m.: tool4.exe (ID = 183857)
1:48 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:48 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:49 p.m.: Found Adware: look2me
1:49 p.m.: hrrm0591e.dll (ID = 159)
1:49 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:49 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:50 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:50 p.m.: pedx5032.dll (ID = 159)
1:51 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:51 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:51 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:51 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:51 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:51 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:51 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:51 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:52 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:52 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:52 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:52 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:52 p.m.: __delete_on_reboot__mjpistub.dll (ID = 159)
1:52 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:52 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:52 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:52 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:53 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:53 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:53 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:53 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:53 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:53 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:53 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:53 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:54 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:54 p.m.: j86m0ij1e8o.dll (ID = 159)
1:55 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:55 p.m.: dovvox.dll (ID = 159)
1:55 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:55 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:56 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:56 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:56 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:56 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:56 p.m.: kzh.vbs (ID = 185675)
1:56 p.m.: Found System Monitor: potentially rootkit-masked files
1:56 p.m.: sysbus32.sys (ID = 0)
1:56 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:56 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:56 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:56 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:57 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:58 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:59 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:00 p.m.: File Sweep Complete, Elapsed Time: 00:32:52
2:00 p.m.: Full Sweep has completed. Elapsed time 00:37:46
2:00 p.m.: Traces Found: 82
2:00 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:00 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:00 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:00 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:00 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:00 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:00 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:01 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:01 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:01 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:01 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:01 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:02 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:03 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:04 p.m.: Removal process initiated
2:04 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:04 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:04 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:04 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:04 p.m.: Quarantining All Traces: look2me
2:04 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:04 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:04 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:04 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:04 p.m.: look2me is in use. It will be removed on reboot.
2:04 p.m.: hrrm0591e.dll is in use. It will be removed on reboot.
2:04 p.m.: __delete_on_reboot__mjpistub.dll is in use. It will be removed on reboot.
2:04 p.m.: j86m0ij1e8o.dll is in use. It will be removed on reboot.
2:04 p.m.: Quarantining All Traces: potentially rootkit-masked files
2:04 p.m.: potentially rootkit-masked files is in use. It will be removed on reboot.
2:04 p.m.: sysbus32.sys is in use. It will be removed on reboot.
2:04 p.m.: Quarantining All Traces: spamrelayer_alpiok
2:04 p.m.: Quarantining All Traces: spysheriff fakealert
2:04 p.m.: Quarantining All Traces: trojan-backdoor-msdcom32
2:04 p.m.: Quarantining All Traces: trojan-backdoor-us15info
2:04 p.m.: Quarantining All Traces: command
2:04 p.m.: Quarantining All Traces: cws_secure32.html hijack
2:04 p.m.: Quarantining All Traces: spysheriff
2:04 p.m.: Quarantining All Traces: spywareno! components
2:04 p.m.: Quarantining All Traces: adecn cookie
2:04 p.m.: Quarantining All Traces: adknowledge cookie
2:04 p.m.: Quarantining All Traces: belnk cookie
2:04 p.m.: Quarantining All Traces: hbmediapro cookie
2:04 p.m.: Quarantining All Traces: paypopup cookie
2:04 p.m.: Quarantining All Traces: yieldmanager cookie
2:04 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:04 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:04 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:04 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:05 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:05 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:05 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:05 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:05 p.m.: Removal process completed. Elapsed time 00:01:28
2:05 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:05 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
2:05 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
2:05 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
********
1:18 p.m.: | Start of Session, Saturday, 18 February 2006 |
1:18 p.m.: Spy Sweeper started
1:20 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:20 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:20 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:20 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:21 p.m.: Your spyware definitions have been updated.
1:22 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:22 p.m.: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
1:22 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:22 p.m.: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
1:22 p.m.: | End of Session, Saturday, 18 February 2006 |

#3 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:02:24 PM

Posted 22 February 2006 - 06:07 AM

Hi and welcome to Bleeping. :thumbsup:

Thank you for the detailed account, it's been most helpful.

SpySweeper has confirmed what I suspected once I started reading your account and that is a rootkit is involved here causing the system instability. We'd better check that's successfully been removed by SpySweeper first.


You MUST have Admin privelidges on your user account for the following fix to work.

If you don't, please boot into Safe Mode and access the Aministrator account and then proceed.


Go to Start > Run and paste the following commands into the Run box one after the other:

sc stop sysbus32
sc delete sysbus32


Then go to Start and right-click on My Computer and select Properties.

Click Hardware > Device Manager

Once the Device Manager Opens, click View > Show Hidden Devices.

Scroll down the list and expand or double-click "Non-Plug and Play Drivers"

Scroll down that list and find "32bit System Bus Driver"

Right-click it and select Uninstall.

Then use Windows Explorer to check that this file is no longer present:

C:\WINDOWS\system32\drivers\sysbus32.sys

If still there, right-click it and delete.

Then reboot the machine and run run the following online virus scan with Internet Explorer (saving the scan report when complete):

Panda ActiveScan
  • Once on the Panda site click the Scan your PC button and then the Check Now button on the nex screen.
  • Enter your details in the required fields.
  • Then click the big Scan Now button.
  • Allow the Active X component to install and download the necessary files. (Note: It may take a couple of minutes)
  • When the download is complete, click on Local Disks to start the scan.
  • Upon scan completion, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Then post the following:
  • New HijackThis log.
  • Online scan results.
  • How the machine is running..
Then we'll get to work on anything left. :flowers:

.
Keeping Track of Your Topic
  • Please subscribe to this thread by clicking 'Track this topic' at the top of the thread.
  • Enable email notification to subscribed threads via the My Control Panel link above.
  • Keep ALL future replies in this thread please.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#4 gdd

gdd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 25 February 2006 - 06:53 AM

Hey John! Thanks for analysing my log!!
The 32 bit system bus driver and sysbus were not there to uninstall so perhaps ewido removed them or something? but I kept cleaning till spysweeper had no errors to report!

Active scan had one thing to report:


Incident Status Location

Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq

And my hijackthis log is here:

Logfile of HijackThis v1.99.1
Scan saved at 10:34:56 p.m., on 25/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\hrrm0591e.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Things seem to be running ok now! I know you guys are busy so I can wait for more advice, the main thing I see is that I have a few files missing according to hijackthis... namely
C:\WINDOWS\system32\hrrm0591e.dll and
C:\Program Files\Network Monitor\netmon.exe
Maybe I wasn't supposed to remove them if ewido had asked me to... if I don't get a reply I'll assume I don't really need those files, haha! And thank you SO much for this whole forum! It's helped a lot, <3

#5 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:02:24 PM

Posted 26 February 2006 - 04:28 AM

Unfortunately, hijackThis cannot be trusted where (file missing) is concerned unless the entry is an 02 or 03 entry in your log. Sometimes the program just can't see the file in question.

The 020 entry is a sign of Look2Me adware so we'll run a check on this to ensure it's gone.

First of all though, run HijackThis again and place a checkmark before the following two entries:

O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\hrrm0591e.dll (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)


Close ALL other windows and click Fix Checked.

If SpySweeper questions these changes to your registry, please allow them.


Then use Windows Explorer to locate and delete this folder:

C:\Program Files\Network Monitor\

You may need to configure Windows to Show all hidden files & folders first.


Then download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
  • If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#6 gdd

gdd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 26 February 2006 - 06:03 AM

I fixed 020 and 023 but couldn't find the C:\Program Files\Network Monitor\ folder to delete, even with hidden files shown, but here are the logs! Do you think I'm in the clear yet? XD <3

Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 27/02/2006 12:11:52 a.m.


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Logfile of HijackThis v1.99.1
Scan saved at 12:23:30 a.m., on 27/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Wacom\TabUserW.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Edited by gdd, 26 February 2006 - 06:26 AM.


#7 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:02:24 PM

Posted 26 February 2006 - 03:27 PM

Other than this entry below which I forgot to ask you to delete, everything appears to be in order.

C:\WINDOWS\uniq

How's the machine running now?
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#8 gdd

gdd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 27 February 2006 - 06:11 AM

AAAH! It's running just like it was before! HOORAY!! Thank you so much John! You are wonderful and wow I want your brain! XD <3 I am so happy I found this forum, I thought I would have to do ridiculous reinstalling and spending to get it sorted but you helped me and so many others out of niceness and in your own time, wow, so cool!! THANK YOU SO MUCH!! I think I've learned a little bit too, haha!

#9 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:02:24 PM

Posted 27 February 2006 - 07:51 AM

Glad I could help. :thumbsup:


Everything appears to be in order so I guess we can wrap things up for the time being.

Let me know if the problems return.

Now that you're clean again, please follow these simple steps to keep yourself safe and secure in the future.


Re-enable Your Protection

If asked to reveal your hidden system files and folders during the course of the fix, please rehide those now by reversing the steps here.

Please also re-enable the real-time protection for any anti-spyware programs I asked you to disable before proceeding with the fix.


Disable and Re-enable System Restore to Flush Infected Restore Points

If you are using Windows ME or XP, you should disable and re-enable system restore to make sure there are no infected files found in your restore points.

You can find instructions on how to disable and re-enable system restore here:

Windows XP System Restore Guide

or

Managing Windows Millenium System Restore

Re-enable System Restore with instructions from the tutorial above and create a new Restore point.


Block Access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.


Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet



Safe Surfing

JM :flowers:


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users