Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First Post. Lots Of Problems


  • This topic is locked This topic is locked
4 replies to this topic

#1 lostprophet3689

lostprophet3689

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 14 April 2006 - 04:17 PM

I've watched out for spyware pretty well, then overnight, something happened.

Here's my HijackThis log, if anyone could help, that'd be great

Logfile of HijackThis v1.99.1
Scan saved at 5:14:25 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\AOL\1133734449\ee\aolsoftware.exe
c:\program files\common files\aol\1133734449\ee\aim6.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\SILENT~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\SILENT~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\twrum.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,fryywaf.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\lvp2097oe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:35 PM

Posted 15 April 2006 - 08:51 AM

Hello,

Please perform next steps in the right order!

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

After reboot,
  • Download Brute Force Uninstaller to your C:\
  • Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
Please post the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lostprophet3689

lostprophet3689
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 16 April 2006 - 04:43 PM

Here's the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:38:53 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\AOL\1133734449\ee\aolsoftware.exe
c:\program files\common files\aol\1133734449\ee\aim6.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

and the Look2Me-Destroyer.txt:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/16/2006 5:30:01 PM

Infected! C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263004.dll
Infected! C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263005.dll
Infected! C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263006.dll
Infected! C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263007.dll
Infected! C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263008.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263004.dll
C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263004.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263005.dll
C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263005.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263006.dll
C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263006.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263007.dll
C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263007.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263008.dll
C:\System Volume Information\_restore{50D5D827-CE29-4A1F-88A3-C6506C535774}\RP383\A0263008.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded



Thank you for your help thus far

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:35 PM

Posted 16 April 2006 - 04:59 PM

Hello,

I see a clean log here.
Install asap an Antivirus and a Firewall to prevent reinfection!

AVG, Avira OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Zonealarm, Agnitum Outpost Free OR Kerio are FREE firewalls.

Understanding and using firewalls

Let your antivirus perform a full scan to get rid of the leftovers.

How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:35 PM

Posted 24 April 2006 - 12:37 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users