Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viruses And Adware Out The....


  • Please log in to reply
4 replies to this topic

#1 YourSweet666

YourSweet666

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Pequannock NJ
  • Local time:06:12 PM

Posted 07 March 2006 - 03:43 PM

i really need help, i have my computer on foro 5 minutes and theres like 20 windows of ads nothing will get rid of it. i need help BADLY

and on a side note. i have this folder in my documents and settings supposedly called complete. but i cant find it. and its got a whole bunch of programs that downloaded themselves onto my computer through something i downloaded on limewire. if anyone knows how to delete this folder, it would be a GREAT help

*EDIT*
Nevermind, i found and deleted that folder so thats not a problem any more. but i still need help with all this adware and crap on my computer
* END EDIT*

Logfile of HijackThis v1.99.1
Scan saved at 3:29:00 PM, on 3/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\lreobeb.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\dgfgql.exe
C:\WINDOWS\system32\lwinorag.exe
C:\WINDOWS\lreobebA.exe
C:\windows\rlvknlg.exe
C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\klsx9e.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\windows\system32\dwdsregt.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Rile 'Danimee\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe"
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [WinUpdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard1.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad1.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [{DA-A3-33-34-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinorag.exe CORN001
O4 - HKLM\..\Run: [lreobebA] C:\WINDOWS\lreobebA.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\rlvknlg.exe -boot
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinorag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qndsregl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137884218109
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - AppInit_DLLs: repairs303169536.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\j86mlij118o.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\lreobeb.exe

Edited by YourSweet666, 07 March 2006 - 03:51 PM.


BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:12 AM

Posted 08 March 2006 - 04:30 AM

Hello YourSweet666, and welcome to BleepingComputer,

We'll try to help you out, just give us some time to study your log.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:12 AM

Posted 08 March 2006 - 10:06 AM

Hello YourSweet666,

Please follow these instructions very carefully, and in the specified order (very important!).

1. Please disable the Microsoft Anti-Spyware real-time protection, since it might interfere with the fix:Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).Click on Security Agents Status.
Click on Disable real-time protection.
Next, open Microsoft Anti-Spyware.Click on the Options menu, then Settings.
Select Real Time Protection from the left column.
Uncheck Enable (MSAS) Security Agents and Enable real-time spyware threat protection.
Click the Save button.
Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.
[/list]You can reenable it once your system is clean.

Disable a Guard for the same reason:Run the a Guard via the Start menu > Programs > a > a Guard.
Open the options in a and uncheck the box "Run at system startup".
2. Please download Brute Force Uninstaller.
Unzip it to its own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover.
Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\p2pnetwork.bfu
Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

3. Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

4. Go to Start > Settings > Control Panel > Software, and by using Add/Remove programs remove if found:Surf SideKick 3
ZenoSearch
WinAntiVirus Pro 2006
QuickLinks
Viewpoint
Relevantknowledge
MaxSearch
Yield Manager
New.net or NewDotNet

The last one is a special one, and may not be present in the Software list.
If it isn't, see if, using Windows Explorer, you can find an uninstaller in the folder C:\Program Files\NewDotNet. The uninstaller will be called uninstallX_XX.exe, where the X's stands for numbers.
If not, look in the C:\Windows or C:\Winnt, there it will be called NDNuninstallX_XX.exe

If you still haven't found it, you can use this uninstaller: uninstall6_90.exe.
After removal, you may be prompted to reboot. Please reboot even if not prompted.
However, before using this last means, please download WinsockXPFix and LSP-Fix.
If you can not connect to the Internet after removing New.net, please run the WinsockXPFix program I had you download earlier.
If you still can not connect to the Internet, please run the LSP-Fix program, and click on the finish button. Reboot and you should be able to get back on..

5. Reboot your computer.

6. I also notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world.AVG makes an excellent free antivirus client, as do AntiVir or Avast!
Please pick one, install and update it now.
Run a full system scan and let it remove any malware it finds.

7. Reboot your computer.

8. Please post the contents of C:\Look2Me-Destroyer.txt and a new HijackThis log.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 YourSweet666

YourSweet666
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Location:Pequannock NJ
  • Local time:06:12 PM

Posted 09 March 2006 - 03:19 PM

Look2Me-Destroyer V1.0.5

Scanning for infected files.....
Scan started at 3/8/2006 10:21:44 PM

Infected! C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0038346.dll
Infected! C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0038350.dll
Infected! C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0039353.dll
Infected! C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0039363.dll
Infected! C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0039367.dll
Infected! C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP124\A0039491.dll
Infected! C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP124\A0039500.dll
Infected! C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP124\A0039504.dll
Infected! C:\WINDOWS\system32\e6200gfme62a0.dll
Infected! C:\WINDOWS\system32\fp4o03h3e.dll
Infected! C:\WINDOWS\system32\q0860alsedq60.dll
Infected! C:\WINDOWS\system32\r08s0al7edq.dll
Infected! C:\WINDOWS\system32\sgdocvw.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0038346.dll
C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0038346.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0038350.dll
C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0038350.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0039353.dll
C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0039353.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0039363.dll
C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0039363.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0039367.dll
C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP122\A0039367.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP124\A0039491.dll
C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP124\A0039491.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP124\A0039500.dll
C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP124\A0039500.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP124\A0039504.dll
C:\System Volume Information\_restore{0505C0D0-AD04-4CCA-9F53-21E10CFE85E6}\RP124\A0039504.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\e6200gfme62a0.dll
C:\WINDOWS\system32\e6200gfme62a0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fp4o03h3e.dll
C:\WINDOWS\system32\fp4o03h3e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q0860alsedq60.dll
C:\WINDOWS\system32\q0860alsedq60.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\r08s0al7edq.dll
C:\WINDOWS\system32\r08s0al7edq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sgdocvw.dll
C:\WINDOWS\system32\sgdocvw.dll Deleted successfully!

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{28A789A2-01C1-4392-A75D-C988C8CB0649}"
HKCR\Clsid\{28A789A2-01C1-4392-A75D-C988C8CB0649}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FA046E2C-7A93-4D24-A500-65157D79D3D1}"
HKCR\Clsid\{FA046E2C-7A93-4D24-A500-65157D79D3D1}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Logfile of HijackThis v1.99.1
Scan saved at 3:16:12 PM, on 3/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Rile 'Danimee\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe"
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard1.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinorag.exe CORN001
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinorag.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137884218109
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - Winlogon Notify: Run- - C:\WINDOWS\system32\fp4o03h3e.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\lreobeb.exe (file missing)

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:12 AM

Posted 10 March 2006 - 12:43 PM

Hello YourSweet666,

That seems to have taken care of the worst malware :thumbsup:
Now to get rid of the rest:

1. Download and install CCleaner - basic
Do not use the program at this time.

2. Please download, install, and update the NEW free version of Ewido anti-malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close ewido. DO NOT RUN IT YET!
3. Reconfigure Windows XP to show hidden files:Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the Hide protected operating system files (recommended) option.
Uncheck the Hide file extensions for known file types option.
Click Yes to confirm. Click OK.
[/list]4. Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8.
A menu should come up where you will be given the option to enter Safe Mode (without Internet conection).

5. Run HijackThis and check the following entries:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard1.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinorag.exe CORN001
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinorag.exe
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - Winlogon Notify: Run- - C:\WINDOWS\system32\fp4o03h3e.dll (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\lreobeb.exe (file missing)

Close all open windows EXCEPT HIJACKTHIS and click Fix Checked. Close HijackThis.

6. Go to Windows Explorer, find and if still present delete these files/folders (in bold):C:\keyboard1.exe
C:\WINDOWS\System32\sndcfg16.exe
C:\WINDOWS\system32\lwinorag.exe
C:\WINDOWS\system32\wdc1n.dll
7. Run CCleaner, click the Windows tab and select the following:Internet Explorer:Temp Internet
History
Recently Typed URLs
Delete Index.dat files
System:Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data
Next: click Options, click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click OK
Then click Run Cleaner (bottom right), then Exit
[/list]8. Run Ewido anti-malware:
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • Let ewido remove anything it finds.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
9. Reboot your PC.

10. Please run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Discs to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
If possible, save the log or copy the results, so we can have a look at what might not be removed as yet.

11. Run HijackThis again and post a fresh log, as well as the log from ewido and Panda.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users