Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups (including Yyy65 + More) Not Going Away =(


  • This topic is locked This topic is locked
6 replies to this topic

#1 AznSnzation

AznSnzation

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 22 February 2006 - 04:10 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:10:11 AM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis.exe

O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\e6202gfmg62a2.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:39 PM

Posted 23 February 2006 - 10:29 AM

Hello,

did you fix entries in hijackthis yourself???
Please don't, because it's not all bad! A lot of those entries are legit. If you did, please use the backup option in hijackthis to restore all those entries again, because it seems like you also disabled your antivirus there.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 AznSnzation

AznSnzation
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 24 February 2006 - 02:06 AM

Hi miekiemoes,

First of all, thank you for replying... your help is very much appreciated, hehe. =)

Anyways, I downloaded the Look2Me-Destroyer.exe and ran it but a "l2mRem" window came up and said "Component 'mswinsck.ocx' or one of its dependencies not correctly registered: a file is missing or invalid"

So, I know this is bad, but a couple days ago I accidentally deleted all of my backups in HijackThis, including things that weren't bad. =/ I have a feeling that this has something to do with the Look2Me-Destroyer.exe not being able to work. I looked on other forums and other people were able to get rid of the look2me virus through a different "l2mfix" program, but I wasn't able to. I think this is because of me not having any backups.

Am I totally screwed now or is there hope? =/

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:39 PM

Posted 24 February 2006 - 08:14 AM

Hi AznSnzation,

Did you read my entire previous post? There it says how to fix the missing mswinsck.ocx. That is why it is important you read all the instructions. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 AznSnzation

AznSnzation
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 25 February 2006 - 03:46 AM

Hey miekiemoes!

Awesome... I haven't gotten pop-ups since running that Look2Me-Destroyer.exe- thanks for all your help. I have a good feeling that my computer's virus-free, hehe. My bad for not carefully reading your instructions, oops.

Anyways, here's the Look2Me-Destroyer.txt and a new HijackThis log...


Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 2/25/2006 12:07:54 AM

Infected! C:\WINDOWS\system32\mv0ml9d11.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001655.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001663.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001674.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001675.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001683.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001698.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001746.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001751.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001752.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001758.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001759.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001764.dll
Infected! C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001765.dll
Infected! C:\WINDOWS\system32\hr0605dse.dll
Infected! C:\WINDOWS\system32\hr2605fse.dll
Infected! C:\WINDOWS\system32\hr4605hse.dll
Infected! C:\WINDOWS\system32\im50_32.dll
Infected! C:\WINDOWS\system32\mv0ml9d11.dll
Infected! C:\WINDOWS\system32\o0480ahued480.dll
Infected! C:\WINDOWS\system32\tUembed.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\mv0ml9d11.dll
C:\WINDOWS\system32\mv0ml9d11.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001655.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001655.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001663.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001663.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001674.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001674.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001675.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001675.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001683.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001683.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001698.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001698.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001746.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001746.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001751.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001751.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001752.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001752.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001758.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001758.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001759.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001759.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001764.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001764.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001765.dll
C:\System Volume Information\_restore{39BF88CD-63F2-4A02-B160-41271A5C07BB}\RP20\A0001765.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr0605dse.dll
C:\WINDOWS\system32\hr0605dse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr2605fse.dll
C:\WINDOWS\system32\hr2605fse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr4605hse.dll
C:\WINDOWS\system32\hr4605hse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\im50_32.dll
C:\WINDOWS\system32\im50_32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mv0ml9d11.dll
C:\WINDOWS\system32\mv0ml9d11.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o0480ahued480.dll
C:\WINDOWS\system32\o0480ahued480.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\tUembed.dll
C:\WINDOWS\system32\tUembed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded





Logfile of HijackThis v1.99.1
Scan saved at 12:44:50 AM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.imdb.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Hopefully everything's all clean... =)

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:39 PM

Posted 25 February 2006 - 07:00 AM

Hello,

Yes, it looks clean again.

I recommend you reinstall your antivirus since you deleted entries yourself previously and deleted the backups.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:39 PM

Posted 27 February 2006 - 06:32 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users