Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Deluge Of Pop-ups.


  • This topic is locked This topic is locked
6 replies to this topic

#1 Eqman

Eqman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 19 February 2006 - 03:49 PM

I've been through the rest, now to try the best. Here's my hijack this and ewido logs. Thanks for helping.

Logfile of HijackThis v1.99.1
Scan saved at 1:59:05 PM, on 18/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Sean\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enCA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Rfduiajk] C:\Program Files\Orki\Drzh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ajktelgb] C:\WINDOWS\ajktelgb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106283407500
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\q8rq0i95e8.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:16:42 PM, 18/02/2006
+ Report-Checksum: 76E6673C

+ Scan result:

[648] C:\WINDOWS\system32\pxofmap.dll -> Adware.Look2Me : Cleaned without backup
[776] C:\WINDOWS\system32\pxofmap.dll -> Adware.Look2Me : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@2o7[2].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@adtech[2].txt -> TrackingCookie.Adtech : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@cz11.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@marthastewart.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@paycounter[2].txt -> TrackingCookie.Paycounter : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned without backup
C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\sean@zedo[1].txt -> TrackingCookie.Zedo : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@h.starware[2].txt -> TrackingCookie.Starware : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned without backup
C:\WINDOWS\Temp\Cookies\sean@zedo[1].txt -> TrackingCookie.Zedo : Cleaned without backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C9IXYV0R\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned without backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C9IXYV0R\send_ocx_sof[2].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned without backup


::Report End

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:44 AM

Posted 23 February 2006 - 04:31 PM

Sorry for the delay in reply - the HJT log analysis forum is busy.

Can you post a fresh HijackThis log using AddReply please, and we'll get started. :thumbsup:
Hi there, stranger!

#3 Eqman

Eqman
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 24 February 2006 - 10:41 PM

Thanks again for taking the time.


Logfile of HijackThis v1.99.1
Scan saved at 8:39:49 PM, on 24/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sean\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enCA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Rfduiajk] C:\Program Files\Orki\Drzh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ajktelgb] C:\WINDOWS\ajktelgb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106283407500
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\n86qlij518o.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:44 AM

Posted 25 February 2006 - 04:57 AM

Please download Look2Me-Destroyer to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. :thumbsup:
If you receive a message from your Firewall about this program accessing the Internet, please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Hi there, stranger!

#5 Eqman

Eqman
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 25 February 2006 - 06:51 PM

Here we go:

Logfile of HijackThis v1.99.1
Scan saved at 4:48:23 PM, on 25/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sean\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enCA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Rfduiajk] C:\Program Files\Orki\Drzh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ajktelgb] C:\WINDOWS\ajktelgb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106283407500
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe





Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 25/02/2006 4:42:27 PM

Infected! C:\WINDOWS\system32\n86qlij518o.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031040.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031057.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031067.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031080.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031093.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031108.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031115.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031125.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031126.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031130.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031180.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031188.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031189.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031192.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031193.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031195.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031200.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031204.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031208.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031215.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031218.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031221.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031222.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031224.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031225.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031437.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031438.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031531.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031532.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031538.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031539.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031581.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031582.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031590.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031591.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031601.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031602.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031609.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031616.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031623.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031633.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031634.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031636.dll
Infected! C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP412\A0032623.dll
Infected! C:\WINDOWS\system32\dn4401hqe.dll
Infected! C:\WINDOWS\system32\dnrm0191e.dll
Infected! C:\WINDOWS\system32\n86qlij518o.dll
Infected! C:\WINDOWS\system32\SfmRedir.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\n86qlij518o.dll
C:\WINDOWS\system32\n86qlij518o.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031040.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031040.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031057.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031057.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031067.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031067.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031080.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031080.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031093.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031093.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031108.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031108.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031115.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP402\A0031115.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031125.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031125.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031126.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031126.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031130.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031130.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031180.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031180.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031188.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031188.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031189.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031189.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031192.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031192.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031193.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031193.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031195.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031195.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031200.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031200.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031204.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031204.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031208.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031208.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031215.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031215.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031218.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031218.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031221.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031221.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031222.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031222.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031224.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031224.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031225.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031225.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031437.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031437.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031438.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP403\A0031438.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031531.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031531.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031532.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031532.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031538.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031538.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031539.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP406\A0031539.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031581.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031581.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031582.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031582.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031590.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031590.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031591.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031591.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031601.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031601.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031602.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031602.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031609.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031609.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031616.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031616.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031623.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031623.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031633.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031633.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031634.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031634.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031636.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP411\A0031636.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP412\A0032623.dll
C:\System Volume Information\_restore{B287FC8E-11D9-4F82-8F78-5E71D4D8DE9A}\RP412\A0032623.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dn4401hqe.dll
C:\WINDOWS\system32\dn4401hqe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnrm0191e.dll
C:\WINDOWS\system32\dnrm0191e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n86qlij518o.dll
C:\WINDOWS\system32\n86qlij518o.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\SfmRedir.dll
C:\WINDOWS\system32\SfmRedir.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:44 AM

Posted 26 February 2006 - 05:33 AM

Ok, next:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download Ewido Anti-Malware, it is a free version of the program.
  • Install Ewido Anti-Malware
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Please run a scan with Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
  • Close Ewido Anti-Malware.
==

Now, reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log. :thumbsup:
Hi there, stranger!

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:44 AM

Posted 04 March 2006 - 08:49 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users