Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Lop? Windows Me (win9x 4.90.3000)


  • Please log in to reply
5 replies to this topic

#1 Catlaydee

Catlaydee

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 07 April 2006 - 04:35 AM

Hi - this is from my son's pc.

Any help gratefully recieved :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 10:31:24, on 07/04/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INVENTEL\GATEWAY\WLANCFG.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\VSNPSTD2.EXE
C:\WINDOWS\SYSTEM\RLVKNLG.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eopcmmnwkmntuyge.com/IC9voUP8eD...TiYVPlkxNFM.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maomtezmschewf.uk/IC9voUP8eDVZG...hxmRAcPYKhY.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
O2 - BHO: (no name) - {6098B10B-71E7-19CA-71B7-5DE957917A42} - C:\WINDOWS\APPLICATION DATA\SENDFAST\THIRDNAME.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [wlancfg] C:\Program Files\Inventel\Gateway\wlancfg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system\rlvknlg.exe -boot
O4 - HKLM\..\Run: [size error way part] C:\WINDOWS\All Users\Application Data\Dog Time Size Error\Uploadpoke.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [drivedraw] C:\WINDOWS\APPLIC~1\BYTESO~1\amok seek.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

BC AdBot (Login to Remove)

 


#2 MoralTerror

MoralTerror

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 09 April 2006 - 05:17 PM

Hi

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Options > Track this Topic) so that you are notified when you receive a reply.

Please be patient with me during this time. :thumbsup:

#3 MoralTerror

MoralTerror

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 09 April 2006 - 11:39 PM

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files option. Also make sure there is no checkmark beside Hide file extensions for known file types Click OK.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

You have installed Messenger Plus! 3. This program is known to install the malware that you have, a LOP infection. If the program is a must have, reinstall it and decline when asked to install the sponsor's software.

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):


MessengerPlus! 3


Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eopcmmnwkmntuyge.com/IC9voUP8eD...TiYVPlkxNFM.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maomtezmschewf.uk/IC9voUP8eDVZG...hxmRAcPYKhY.php
O2 - BHO: (no name) - {6098B10B-71E7-19CA-71B7-5DE957917A42} - C:\WINDOWS\APPLICATION DATA\SENDFAST\THIRDNAME.EXE
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\system\rlvknlg.exe
O4 - HKLM\..\Run: [size error way part] C:\WINDOWS\All Users\Application Data\Dog Time Size Error\Uploadpoke.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [drivedraw] C:\WINDOWS\APPLIC~1\BYTESO~1\amok seek.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart


Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.


C:\WINDOWS\APPLICATION DATA\SENDFAST
C:\WINDOWS\APPLIC~1\BYTESO~1 <<<<the folder located in C:\WINDOWS\APPLICATION DATA\ starting with the letters BYTESO
C:\WINDOWS\All Users\Application Data\Dog Time Size Error
c:\windows\system\rlvknlg.exe
C:\Program Files\MessengerPlus! 3


Reboot your system in Normal Mode.

Download fl.zip
Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner
  • Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  • Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Paste the Panda Scan report here together with a new HiJack This log and the contents of findlop.txt

#4 Catlaydee

Catlaydee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 10 April 2006 - 12:38 PM

Wow thank you so much!!

:thumbsup:

#5 Catlaydee

Catlaydee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 10 April 2006 - 01:38 PM

When I tried to remove messenger3 I had to put in some numbers to prove I was a real person but I couldn't see them in safe mode so I rebooted in normal mode but then I couldn't find messenger3 at all and it didn't show up in the HijackThis scan I did

Here's the report form the fl.bat

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'Tune-up Application Start.job'
[TRACE] Printing all job properties

ApplicationName: 'walign'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'mleo'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 04/05/2006 19:00:00
NextRun: 05/03/2006 9:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 1
KillIfGoingOnBatteries = 1
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

8 Triggers

Trigger 0:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ...W...
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 09:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 1:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ...W...
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 14:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 2:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ...W...
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 19:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 3:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ...W...
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 23:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 4:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ......A
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 09:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 5:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ......A
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 14:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 6:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ......A
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 19:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 7:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ......A
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 23:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'PCHealth Scheduler for Data Collection.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE'
Parameters: ' -c'
WorkingDirectory: ''
Comment: 'Scheduled Task for PC Health Scheduler (Data Collection)'
Creator: 'default'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 5
IdleDeadline: 32767
MostRecentRun: 04/10/2006 18:48:01
NextRun: 04/10/2006 20:11:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 1
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 04/10/2006
EndDate: 00/00/0000
StartTime: 19:41
MinutesDuration: 1440
MinutesInterval: 10
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '1651679B91935C5A.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\progra~1\byteso~1\Inter Lies Bat.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'default'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 04/10/2006 21:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 03/06/1998
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0




HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 20:39:03, on 10/04/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INVENTEL\GATEWAY\WLANCFG.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\VSNPSTD2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KILL THE POPUP\KTPPOP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\ALL USERS\APPLICATION DATA\DOG TIME SIZE ERROR\DENT MEET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ruybyosrqurzkkicpp.uk/IC9voUP8e...iYVPlkxNFM.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iuarfjrbiqntlcwwmncl.com/IC9voUP8eD...hxmRAcPYKhY.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=KillThePopup:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: CookieHlprObj Class - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\PROGRA~1\KILLTH~1\KTPBHO.DLL
O2 - BHO: (no name) - {6098B10B-71E7-19CA-71B7-5DE957917A42} - C:\WINDOWS\APPLICATION DATA\SENDFAST\THIRDNAME.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [wlancfg] C:\Program Files\Inventel\Gateway\wlancfg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [size error way part] C:\WINDOWS\All Users\Application Data\Dog Time Size Error\Dent meet.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Kill The Popup] C:\Program Files\Kill The Popup\KTPPop.exe
O4 - HKCU\..\Run: [drivedraw] C:\WINDOWS\APPLIC~1\BYTESO~1\amok seek.exe
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab


PANDA SCAN

Incident Status Location

Spyware:Spyware/MarketScore Not disinfected C:\WINDOWS\SYSTEM\rlls.dll
Spyware:Spyware/MarketScore Not disinfected C:\WINDOWS\SYSTEM\rk.bin
Adware:Adware/Lop Not disinfected C:\WINDOWS\TEMP\bisA192.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\TEMP\sta62F2.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\TEMP\sta4250.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\TEMP\579dc1c9.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\TEMP\staB305.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\TEMP\1a2d9.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\TEMP\staE0.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\Application Data\byte software bias\amok seek.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\Application Data\byte software bias\tjxbaybx.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\Application Data\byte software bias\DeafBinLiveBook.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\Application Data\SendFast\ThirdName.exe
Adware:Adware/Lop Not disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\YDETYVY7\upAYB_unk[1].int
Adware:Adware/Lop Not disinfected C:\WINDOWS\All Users\Application Data\Dog Time Size Error\Dent meet.exe
Adware:Adware/Lop Not disinfected C:\Program Files\byte software bias\Inter Lies Bat.exe
Adware:Adware/Lop Not disinfected C:\Program Files\HijackThis\backups\backup-20060410-192303-431.dll
Adware:Adware/Lop Not disinfected C:\Recycled\Dc7\Browse seek.exe
Adware:Adware/Lop Not disinfected C:\Recycled\Dc7\Uploadpoke.exe
Spyware:Spyware/MarketScore Not disinfected C:\Recycled\Dc8.exe
Adware:Adware/Lop Not disinfected C:\Recycled\Dc10\amok seek.exe
Adware:Adware/Lop Not disinfected C:\Recycled\Dc10\ormbfaih.exe
Adware:Adware/Lop Not disinfected C:\Recycled\Dc10\DeafBinLiveBook.exe
Adware:Adware/Lop Not disinfected C:\Recycled\Dc10\frowncbq.exe
Adware:Adware/Lop Not disinfected C:\Recycled\Dc10\obmucumm.exe
Adware:Adware/Lop Not disinfected C:\Recycled\Dc10\gryjtzmx.exe
Adware:Adware/Lop Not disinfected C:\Recycled\Dc10\spgaholw.exe
Adware:Adware/Lop Not disinfected C:\Recycled\Dc10\tyhihsry.exe
Dialer:Dialer.FJR Not disinfected D:\WINDOWS\Downloaded Program Files\nonadult.exe
Spyware:Cookie/Com.com Not disinfected D:\WINDOWS\Cookies\jon newman@com[2].txt
Spyware:Cookie/Com.com Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jon newman@com[2].txt
Spyware:Cookie/Com.com Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@com[2].txt
Spyware:Cookie/Belnk Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@dist.belnk[2].txt
Spyware:Cookie/Searchportal Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@searchportal.information[2].txt
Spyware:Cookie/Screensavers Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@i.screensavers[1].txt
Spyware:Cookie/Hbmediapro Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@adopt.hbmediapro[2].txt
Spyware:Cookie/Atwola Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@atwola[1].txt
Spyware:Cookie/Xmts Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@xmts[1].txt
Spyware:Cookie/Xiti Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@xiti[1].txt
Spyware:Cookie/BurstNet Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@burstnet[2].txt
Spyware:Cookie/BurstBeacon Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@www.burstbeacon[1].txt
Spyware:Cookie/YieldManager Not disinfected D:\WINDOWS\Profiles\Jimjam\Cookies\jimjam@ad.yieldmanager[2].txt
:thumbsup:

Edited by Catlaydee, 10 April 2006 - 02:41 PM.


#6 MoralTerror

MoralTerror

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 11 April 2006 - 11:57 AM

Hi Catlaydee

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it. You will use this later.

Open Notepad and copy and paste the content of the code box in it:

C:\
cd C:\Windows\Tasks
attrib -r -s -h *.job
del 1651679B91935C5A.job
  • Save this Notepad file as remjobs.bat , choose to save as *all files
    and place it on your desktop.
  • Doubleclick on remjobs.bat. A doswindow will open and close again, this is normal.
Reboot to safe mode(By tapping the F8 key until the menu appears)

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ruybyosrqurzkkicpp.uk/IC9voUP8e...iYVPlkxNFM.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iuarfjrbiqntlcwwmncl.com/IC9voUP8eD...hxmRAcPYKhY.php
O2 - BHO: (no name) - {6098B10B-71E7-19CA-71B7-5DE957917A42} - C:\WINDOWS\APPLICATION DATA\SENDFAST\THIRDNAME.EXE
O4 - HKLM\..\Run: [size error way part] C:\WINDOWS\All Users\Application Data\Dog Time Size Error\Dent meet.exe
O4 - HKCU\..\Run: [drivedraw] C:\WINDOWS\APPLIC~1\BYTESO~1\amok seek.exe


Please remember to close all other windows, including browsers then click Fix checked.

Delete the following files indicated in RED and folders in BLUE(If they still exist)


C:\WINDOWS\All Users\Application Data\Dog Time Size Error
C:\WINDOWS\Application Data\byte software bias
C:\WINDOWS\APPLICATION DATA\SENDFAST
C:\WINDOWS\SYSTEM\rlls.dll
C:\WINDOWS\SYSTEM\rk.bin
C:\Program Files\byte software bias
D:\WINDOWS\Downloaded Program Files\nonadult.exe


Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Uncheck the following :
  • Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program and reboot when prompted.

Reboot to Normal Mode

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended Scan
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post the results from Kaspersky along with a new HJT log.

Please double-click on fl.bat (on your desktop) and post the new findlop.txt

How's the computer running now??




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users