Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Adware.look2me And Possibly Others


  • This topic is locked This topic is locked
15 replies to this topic

#1 huggiebear

huggiebear

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 04 April 2006 - 08:15 AM

hi, my notebook is infected with some malware & viruses. Pls help me get rid of them.
Have run Ad-aware a couple of times but 3 items remained un-removable (Adware.Look2Me)
Also ran SpyBot S&D, detected Look2Me.TopConverting (guard.tmp) - this also remained un-removable.
Ran AVG on notebook which cleaned up quite a bit of viruses and trojan horses.
Tried to run Trend Micro Housecall on-line but get intermittent hanging, so gave up.
All the while, I get pop-ups from my Internet Explorer and Firefox.
Ran McAfee Stinger which said it repaired quite a lot of files.

Have installed ZoneAlarmPro when I first got the notebook but the system crashed when I ran it, so reverted back to using XP Home's firewall. Right now, it has been disabled by the malware and I'm not able to turn it back on.

At the moment, I still have those pesky pop-ups, and upon bootup, I get this window that says: An exception occurred while trying to run ""c:\windows\system32\tlpmonui.dll",DLLGetVersion".

Tks in advance for any help rendered.

Below is the HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:44:09 PM, on 04-Apr-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Cool Beans System Info\Cool Beans System Info.exe
C:\Program Files\Traybar\Traybar.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Illustrate\Shutdown\Shutdown.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pc-ap.fujitsu.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [DispSwitchLauncher] C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cool Beans System Info] C:\Program Files\Cool Beans System Info\Cool Beans System Info.exe
O4 - HKLM\..\Run: [Traybar] C:\Program Files\Traybar\Traybar.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Shutdown.lnk = C:\Program Files\Illustrate\Shutdown\Shutdown.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Startup: YahooPOPs.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IME - C:\WINDOWS\system32\m4820eloehqc0.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

Edited by huggiebear, 04 April 2006 - 08:20 AM.


BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:10 PM

Posted 04 April 2006 - 12:37 PM

Hello and welcome.. :thumbsup:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download Look2Me-Destroyer to your desktop.

Before continuing with the fix there is something you must do:
  • Click Start -> Run and type in: services.msc
  • Check that the following services are running and that their startup is set to automatic:
  • Seclogon, or Secondary logon service
  • Next your machine needs to be offline, manually disconnect the network cable if necessary.
  • Your antivirus, and every other security software MUST be disabled.
Now continue:
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Re-launch your Anti-virus/Firewall protection.
  • Re-connect back to the internet.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :flowers:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
Hi there, stranger!

#3 huggiebear

huggiebear
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 04 April 2006 - 09:22 PM

hi and tks for the welcome, Rawe :thumbsup:

Carried out the steps as per your advice.

Here is the Look2Me-Destroyer log:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/5/2006 9:55:05 AM

Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012321.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012325.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012363.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012372.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012377.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012385.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012389.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012396.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012400.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012414.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012441.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012466.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013495.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013499.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013508.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013517.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013530.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013555.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013600.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013605.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013611.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013617.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013638.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013649.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013652.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013664.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013679.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013689.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013699.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013709.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013752.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013780.dll
Infected! C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013781.dll
Infected! C:\WINDOWS\system32\dmvvox.dll
Infected! C:\WINDOWS\system32\enlol1331.dll
Infected! C:\WINDOWS\system32\ivencode.dll
Infected! C:\WINDOWS\system32\lirhelp.dll
Infected! C:\WINDOWS\system32\m4820eloehqc0.dll
Infected! C:\WINDOWS\system32\mkvbvm60.dll
Infected! C:\WINDOWS\system32\mqicda.dll
Infected! C:\WINDOWS\system32\n62ulgf9162.dll
Infected! C:\WINDOWS\system32\pah.dll
Infected! C:\WINDOWS\system32\rvgsvc.dll
Infected! C:\WINDOWS\system32\sfi.dll
Infected! C:\WINDOWS\system32\vdrbis.dll
Infected! C:\WINDOWS\system32\wcnhttp.dll
Infected! C:\WINDOWS\system32\wsi.dll
Infected! C:\WINDOWS\system32\wwcltui.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012321.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012321.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012325.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012325.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012363.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012363.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012372.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012372.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012377.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012377.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012385.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012385.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012389.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012389.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012396.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012396.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012400.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012400.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012414.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012414.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012441.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012441.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012466.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP23\A0012466.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013495.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013495.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013499.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013499.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013508.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013508.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013517.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013517.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013530.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013530.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013555.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013555.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013600.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013600.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013605.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013605.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013611.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013611.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013617.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP24\A0013617.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013638.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013638.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013649.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013649.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013652.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013652.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013664.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013664.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013679.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013679.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013689.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013689.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013699.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013699.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013709.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013709.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013752.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013752.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013780.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013780.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013781.dll
C:\System Volume Information\_restore{71FD76BF-5E13-40E4-B982-28271382B7DA}\RP25\A0013781.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dmvvox.dll
C:\WINDOWS\system32\dmvvox.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enlol1331.dll
C:\WINDOWS\system32\enlol1331.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ivencode.dll
C:\WINDOWS\system32\ivencode.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lirhelp.dll
C:\WINDOWS\system32\lirhelp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\m4820eloehqc0.dll
C:\WINDOWS\system32\m4820eloehqc0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mkvbvm60.dll
C:\WINDOWS\system32\mkvbvm60.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mqicda.dll
C:\WINDOWS\system32\mqicda.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n62ulgf9162.dll
C:\WINDOWS\system32\n62ulgf9162.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\pah.dll
C:\WINDOWS\system32\pah.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rvgsvc.dll
C:\WINDOWS\system32\rvgsvc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sfi.dll
C:\WINDOWS\system32\sfi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\vdrbis.dll
C:\WINDOWS\system32\vdrbis.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wcnhttp.dll
C:\WINDOWS\system32\wcnhttp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wsi.dll
C:\WINDOWS\system32\wsi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wwcltui.dll
C:\WINDOWS\system32\wwcltui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9CF45F27-04FF-4F7E-BF5A-C6572AAAF056}"
HKCR\Clsid\{9CF45F27-04FF-4F7E-BF5A-C6572AAAF056}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E67A2A89-7E76-43B8-8C23-34C6DA36364D}"
HKCR\Clsid\{E67A2A89-7E76-43B8-8C23-34C6DA36364D}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

======================================
When I ran HijackThis, I had an error with the following error msg:
An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
====================================

This is the latest HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:03:06 AM, on 05-Apr-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Cool Beans System Info\Cool Beans System Info.exe
C:\Program Files\Traybar\Traybar.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Illustrate\Shutdown\Shutdown.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pc-ap.fujitsu.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [DispSwitchLauncher] C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cool Beans System Info] C:\Program Files\Cool Beans System Info\Cool Beans System Info.exe
O4 - HKLM\..\Run: [Traybar] C:\Program Files\Traybar\Traybar.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Shutdown.lnk = C:\Program Files\Illustrate\Shutdown\Shutdown.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Startup: YahooPOPs.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IME - C:\WINDOWS\system32\m4820eloehqc0.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

===============================
I'm still not able to turn on XP Home's firewall. Received this msg:
"Due to an unidentified problem, Windows cannot display Windows Firewall settings."

===============================
tks
Posted Image

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:10 PM

Posted 05 April 2006 - 05:41 AM

If you need an firewall, then please download one of the followings (their better than XP Firewall):

Sygate
ZoneLabs

Lets continue. :thumbsup:

==

Run a scan with HijackThis and check the following objects for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O20 - Winlogon Notify: IME - C:\WINDOWS\system32\m4820eloehqc0.dll (file missing)


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Please reboot..

==

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :flowers:

Hi there, stranger!

#5 huggiebear

huggiebear
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 April 2006 - 10:16 AM

hi :thumbsup:

ZoneAlarmPro is installed on my notebook but it crashed (blue screen) when I ran it. That was even before the virus/malware attack, ie. when I first got the notebook.
Apparently Sygate has discontinued their personal firewall products - still looking thru their site, though.

Below is the output of PandaSoftware's Activescan:


Incident Status Location

Adware:adware/spysheriff Not disinfected C:\WINDOWS\SYSTEM32\kernels8.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard7.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\abc\Local Settings\Temp\Cookies\abc@ad.yieldmanager[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\abc\Local Settings\Temp\Cookies\abc@rn11[2].txt
Adware:Adware/nCase Not disinfected C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\3ME6CW3L\AppWrap[1].exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\file2.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\kernels8.exe
Dialer:Dialer.Gen Not disinfected D:\Install\Internet Stuff\PtoP stuff\emule.exe
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected D:\Install\mirc stuff\irc_compinfo.zip[moo.dll]
Adware:Adware/IST.ISTBar Not disinfected Local Folders\aaa yahooMails\Re: [palm_crack] need a itunes skin\All_PalmOS_Games_by_AstraWare[1].com_2003_+(www.crack.cd).zip[cuj.exe]
Virus:W32/Bagle.J.worm Disinfected Local Folders\Accounts\vpost and post1\E-mail account security warning.\Attach.zlo
Virus:W32/Disemboweler Disinfected Local Folders\All Personal Mails\Ch Friends\Fw: }j5'#\hppsx.exe
Virus:VBS/Help Disinfected Local Folders\All Personal Mails\XMen\Hello from Wellington\~0000002.~
Virus:W32/Disemboweler Disinfected Local Folders\Info\~0000000.~[2100un32.exe]
Virus:VBS/Help Disinfected Local Folders\Sent Items\Re: Hello from Wellington\~0000003.~
Virus:W32/Bagle.J.worm Disinfected Local Folders\Sent Items\Fw: E-mail account security warning.\Attach.zlo

=========================
tks.
Posted Image

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:10 PM

Posted 05 April 2006 - 11:11 AM

Hi again.. Lets continue. :thumbsup:

==

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Please run a scan with Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
  • Close Ewido Anti-Malware.
==

Now, reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log. :flowers:
Hi there, stranger!

#7 huggiebear

huggiebear
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 05 April 2006 - 08:35 PM

hi :thumbsup:

this is the Ewido scan report:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:23:42 AM, 06-Apr-06
+ Report-Checksum: B6FF7291

+ Scan result:

C:\Documents and Settings\abc\Local Settings\Temp\70.tmp3584.exe -> Logger.Agent.ly : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\77.tmp3584.exe -> Logger.Agent.ly : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\Cookies\abc@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\3ME6CW3L\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\Program Files\RealVNC\VNC4\vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.4 : Cleaned with backup
C:\WINDOWS\keyboard7.exe -> Downloader.VB.zg : Cleaned with backup
C:\WINDOWS\mousepad7.exe -> Downloader.VB.zw : Cleaned with backup
C:\WINDOWS\OEM.exe -> Trojan.Agent.fv : Cleaned with backup
C:\WINDOWS\system32\comdlg64.dll -> Proxy.Agent.ji : Cleaned with backup
C:\WINDOWS\system32\sysvx.exe -> Worm.Locksky.al : Cleaned with backup
D:\Install\Internet Stuff\virtualnwcomputing-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup


::Report End

and this is the latest HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:27:34 AM, on 06-Apr-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Cool Beans System Info\Cool Beans System Info.exe
C:\Program Files\Traybar\Traybar.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Illustrate\Shutdown\Shutdown.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pc-ap.fujitsu.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [DispSwitchLauncher] C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cool Beans System Info] C:\Program Files\Cool Beans System Info\Cool Beans System Info.exe
O4 - HKLM\..\Run: [Traybar] C:\Program Files\Traybar\Traybar.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Shutdown.lnk = C:\Program Files\Illustrate\Shutdown\Shutdown.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Startup: YahooPOPs.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

=========================
tks.
Posted Image

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:10 PM

Posted 06 April 2006 - 02:51 AM

Can you please post back with a fresh Panda log.. Just to see what's left :thumbsup:

Your HijackThis log looks pretty much good.

Oh and, can you tell me what this app is for?

Cool Beans System Info
Hi there, stranger!

#9 huggiebear

huggiebear
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 April 2006 - 07:18 AM

hi :thumbsup:

Cool Beans System Info is a utility to display system resource usage in a graphical form (e.g. CPU, RAM, Swapfile, Network[upload/download], etc.).

Below is the fresh Panda log:

Incident Status Location

Adware:adware/adsmart Not disinfected C:\Documents and Settings\abc\Local Settings\Temp\temp.wsf
Adware:adware/spysheriff Not disinfected C:\WINDOWS\SYSTEM32\kernels8.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard71.dat
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\abc\Local Settings\Temp\Cookies\abc@rn11[2].txt
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\file2.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\kernels8.exe
Dialer:Dialer.Gen Not disinfected D:\Install\Internet Stuff\PtoP stuff\emule.exe
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected D:\Install\mirc stuff\irc_compinfo.zip[moo.dll]
Adware:Adware/IST.ISTBar Not disinfected Local Folders\aaa yahooMails\Re: [palm_crack] need a itunes skin\All_PalmOS_Games_by_AstraWare[1].com_2003_+(www.crack.cd).zip[cuj.exe]

=====================
tks
Posted Image

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:10 PM

Posted 06 April 2006 - 09:41 AM

Then lets continue :thumbsup:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\keyboard71.dat
    C:\WINDOWS\file2.exe
    C:\WINDOWS\system32\kernels8.exe
    D:\Install\Internet Stuff\PtoP stuff\emule.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

==

How's the system running now? :flowers:
Hi there, stranger!

#11 huggiebear

huggiebear
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 06 April 2006 - 09:01 PM

hi :thumbsup:

followed the steps to run KillBox as per advice. Didn't receive any PendingFileRenameOperations prompt. However, after re-boot, received a Microsoft Windows popup that says "The system has recovered from a serious error." The error report includes these 2 files:
C:\DOCUME~1\abc\LOCALS~1\Temp\WER7582.dir00\Mini040706-01.dmp
C:\DOCUME~1\abc\LOCALS~1\Temp\WER7582.dir00\sysdata.xml

Sorry, I took the liberty to run Panda scan again. This is the fresh log:

Incident Status Location

Adware:adware/adsmart Not disinfected C:\Documents and Settings\abc\Local Settings\Temp\temp.wsf
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\newname.dat
Dialer:Dialer.Gen Not disinfected C:\!KillBox\emule.exe
Adware:Adware/Adsmart Not disinfected C:\!KillBox\file2.exe
Adware:Adware/Adsmart Not disinfected C:\!KillBox\kernels8.exe
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\abc\Local Settings\Temp\Cookies\abc@rn11[2].txt
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected D:\Install\mirc stuff\irc_compinfo.zip[moo.dll]
Virus:Trj/INService.BC Disinfected D:\PPC stuff\Agenda Fusion\Agenda_Fusion_v6.x_www.lomalka.ru_.zip[wko.exe]
Virus:Trj/INService.BC Disinfected D:\PPC stuff\Pocket Informant\WebIS_Pocket_Informant_v4.5.1_SERIAL_PPC__www.lomalka.ru_.zip[ugy.exe]
Adware:Adware/IST.ISTBar Not disinfected Local Folders\aaa yahooMails\Re: [palm_crack] need a itunes skin\All_PalmOS_Games_by_AstraWare[1].com_2003_+(www.crack.cd).zip[cuj.exe]

====================
tks
Posted Image

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:10 PM

Posted 07 April 2006 - 07:21 AM

You can go ahead and uninstall Ewido aswell as Look2Me-Destroyer. :thumbsup:

==

Then please navigate to and delete the following file and the zip folders if present:

C:\WINDOWS\newname.dat
D:\PPC stuff\Agenda Fusion\Agenda_Fusion_v6.x_www.lomalka.ru_.zip
D:\PPC stuff\Pocket Informant\WebIS_Pocket_Informant_v4.5.1_SERIAL_PPC__www.lomalka.ru_.zip


==


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==

How's the system running? Post back with an fresh HijackThis log. :flowers:
Hi there, stranger!

#13 huggiebear

huggiebear
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 07 April 2006 - 11:52 AM

hi :thumbsup:
deleted the files as advised. Also did a run of ATF-Cleaner.

Can I also delete the folder C:\!KillBox and all its contents?

System is pretty stable now. Haven't seen any browser pop-ups. :flowers:

This is the latest HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:40:29 AM, on 08-Apr-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Cool Beans System Info\Cool Beans System Info.exe
C:\Program Files\Traybar\Traybar.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hotmail Popper\hotpop.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Illustrate\Shutdown\Shutdown.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pc-ap.fujitsu.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [DispSwitchLauncher] C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cool Beans System Info] C:\Program Files\Cool Beans System Info\Cool Beans System Info.exe
O4 - HKLM\..\Run: [Traybar] C:\Program Files\Traybar\Traybar.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Hotmail Popper.lnk = C:\Program Files\Hotmail Popper\hotpop.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Shutdown.lnk = C:\Program Files\Illustrate\Shutdown\Shutdown.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Startup: YahooPOPs.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

=========================
Is it safe to say it's completely clean now? :huh: :huh:
Tks.
Posted Image

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:10 PM

Posted 07 April 2006 - 03:30 PM

Can I also delete the folder C:\!KillBox and all its contents?

Yes :thumbsup:

System is pretty stable now. Haven't seen any browser pop-ups.

Good to know.

==

Your log looks clean. :flowers:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#15 huggiebear

huggiebear
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 07 April 2006 - 11:43 PM

hi :thumbsup:

done, and going thru the various reading materials :flowers:

many, many thanks for all your effort and help, Rawe. Posted Image :huh:

Cheers!
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users