Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Years Accumulation Of Spyware! - Hjt Log


  • Please log in to reply
10 replies to this topic

#1 craynerd

craynerd

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 16 April 2006 - 03:26 AM

Hi Guys

What a fantastic forum! Basically i haven`t been looking after my computer properly and it got to the stage where i was getting "popup up on" every few minutes.

So i have used a lot of popup removal stuff, downloaded SP2, downloaded Firefox and scrapped IE, used Adaware, Spybot and then recognised i have SurfSideKick and used your tutorial to help me delete that...yet i`m still getting popups.

Hope someone could take a look at my logs.


Logfile of HijackThis v1.99.1
Scan saved at 09:24:40, on 16/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\windows\mousepad11.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://www.drd.dyndns.org/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...436342D2D2D.exe
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127167247312
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/Check...PA.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A289E05-E554-4F1F-9ADF-C8761345C5B7}: NameServer = 80.225.252.58 80.225.252.50
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A289E05-E554-4F1F-9ADF-C8761345C5B7}: NameServer = 80.225.252.58 80.225.252.50
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe




Regards
Chris

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:30 AM

Posted 18 April 2006 - 12:51 PM

Hey there craynerd

I'll take this log and go with you through the problems you are having and hopefully resolve some of them. At the moment your Hijackthis log isn't looking too bad; in relation to the statement 'a years accumilation of spyware', you aren't doing too badly. However, thew fact that you are getting pop-ups changes the matter somewhat. There must be something hiding on your computer which is displaying these pop-ups.

Firstly let's clear what I currently see that is bad in the Hijackthis log. I think we are going to have to dig a little deeper to find the source - in this day and age there are many possibilities, you could have a rootkit that is hidden in Normal mode or a more routine infection such as LOP which doesn't always show in HJT. I'm going to get you to run a few scans a later on which should hopefully unearth the cause.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R3 - Default URLSearchHook is missing
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...436342D2D2D.exe


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished. I see that you were at some stage using the Trixie.Bho toolbar. I'm not entirely sure on the status of this program but it would appear that you tried to uninstall it and it didn't quite work. Before we go around deleting its leftover files, can you tell me whether you still use it / want to use it / want to get rid of it.

One entry in your HJT log is a process which is malware. I'm talking about C:\windows\mousepad11.exe. We need to use a speific BFU script (that probably means nothing to you) to remove that file and other leftovers it tends to leave. So please download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.
Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Now please download the following attachment - it's going to get rid of leftover services registry entries for a malware file. This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here.
[attachment=801:attachment]
After running the file a text file will open. Please save that file to your desktop.

That's the first removal stage complete, but now I want to run a few things with you so I can really see what's going on inside your computer. It may be that the above removed the infection that was causing the popups but i think it's better to be safe than sorry. So, firstly I want you to Generate an Uninstall List
  • Open HijackThis
  • Click on Open Misc Tools Section
  • Click on Open Uninstall Manager
  • Click on Save list
  • Save it to your Desktop
I want you to paste that file here but we will do that a bit later.

Next, please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Again, I will want you to post the contents of the ActiveScan report along later.

Finally I want to scan for any rootkits/hidden files that may be causing the pop-ups. It's a long shot but it's becoming more and more common for infections like Apropos to arise. Please download and Save blacklight to your C:\ Important!!.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Then go to start > run and copy and paste next command in the field:

C:\blbeta.exe /expert

This should open your blacklight.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

So...please post back with:

1) A New Hijackthis log
2) The uninstaller list
3) The panda log
4) The Blacklight log.
5) The contents of the chrisfix.bat i had you run earlier.

We can go from there with the infomation you give me.
David

#3 craynerd

craynerd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 20 April 2006 - 05:05 AM

Thanks David,

I have done as much as possible but i hit two major problems:

1) Chrisfix.bat doesn`t seem to open correctly. When downloaded it, then ran it and a text doc immediately flashed up and saved as text file : fix with the text:

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


your instructions were to "double click look.bat" yet i could never see this file. I presumed that something is wrong!


2) I have followed all your instructions and then on the backlight program, when i tried to open it from C:\ as you said: i got this error:

F-Secure BackLight was unable to acquire necessary privileges (SeDebugPrivilege)

and it will not lot me go any further than that. OK then closes the program.

--------------------------------------------------------------------------------------------------------------

So those are the two problems!

You also asked me a question re: trixie : Basically my mate at Uni formatted the harddrive and re-installed windows xp. He then told me that i needed trixie to download updates. I dont really understand what it does but since i regularly try and update my computer i guess i do use it.

-----------------------------------------------------------------------------------------------------------------


Ok as you asked, from the instructions i have followed thus far:


1) A New Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:01:58, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://www.drd.dyndns.org/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127167247312
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/Check...PA.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A289E05-E554-4F1F-9ADF-C8761345C5B7}: NameServer = 80.225.255.185 80.225.255.177
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A289E05-E554-4F1F-9ADF-C8761345C5B7}: NameServer = 80.225.255.185 80.225.255.177
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe



2) The uninstaller list

ACTIVstudio 2 Student Edition v2.0.262
Ad-Aware SE Personal
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
Ares 1.9.0
BitLord 1.1
CheckerBoard 1.64
Chuck's Planted Aquarium Calculator v1.0i
DivX
DivX Player
DVD Shrink
Easy GIF Animator 3.1
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON Web-To-Page
ESPRX420 Reference Guide
ESPRX420 Software Guide
GoldWave v5.04
Google Toolbar for Internet Explorer
HijackThis 1.99.1
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash Player 8
Macromedia HomeSite+
Macromedia Shockwave Player
Magic ISO Maker v5.0 (build 0166)
Microsoft .NET Framework 1.1
Microsoft Office XP Professional with FrontPage
Microsoft XML Parser and SDK
mIRC
Mozilla Firefox (1.0.7)
MSN Contacts Manager
MSN Gaming Zone
MSN Messenger 7.5
MSN Toolbar
Multimedia Science School
Nero - Burning Rom
Norton SystemWorks 2002
Numeracy Benchmark Test
PIF DESIGNER2.1
Pinnacle Hollywood FX 5
PowerDVD
PSPad editor
QuickTime

3) The panda log


sent pm.

then logs 4 and 5 as mentioned above i have had problems with

Thanks for everything so far.
Regards
Chris

Edited by craynerd, 20 April 2006 - 05:10 AM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:30 AM

Posted 20 April 2006 - 12:09 PM

Hello Chris

Thanks for the PM's --> I've changed the names and here is the new Panda log. I took out the cookies, whihc we can remove a bit later.

Incident Status Location

Adware:adware/look2me Not disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Adware:adware/purityscan Not disinfected C:\WINDOWS\SYSTEM32\wtssvtr.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Craynerd\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/commad Not disinfected C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\e8202ifmg82a2.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\l28m0cl1efq.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\n88o0il3e8q.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\tbbyuv.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\?ppPatch\winword.exe

The fact that the BlackLight log gave a SeDebugPrivilege error, and the Panda log threw up numerous Look2Me files, I want you to run a scanner/remove to delete these orphanes entries. The scanner wil also repair the SeDebugPrivilege error. The infection is not active - i can tell from the Hijackthis log. In regard to the batch file I had you run, the output was correct, and it just confirmed with me that the service entries had been deleted, so you did well there. I want to deal with Trixie when we get the log clean; i'm sure nothing is wrong with it, but I want to do a bit of research and work out what it really is. So, before we continue I would like to complete the following:

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

David

#5 craynerd

craynerd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 20 April 2006 - 03:53 PM

OK:

Look to me destroyer log:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/20/2006 7:13:53 PM

Infected! C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP214\A0052199.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP214\A0052199.dll
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP214\A0052199.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E7C70A19-D84C-4D15-BB6D-8A010E5B0074}"
HKCR\Clsid\{E7C70A19-D84C-4D15-BB6D-8A010E5B0074}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{79DF1E96-B29C-4CDF-81EF-82203F8AC199}"
HKCR\Clsid\{79DF1E96-B29C-4CDF-81EF-82203F8AC199}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{63AB66F0-3AD6-44A6-9E14-C71EF135E4AC}"
HKCR\Clsid\{63AB66F0-3AD6-44A6-9E14-C71EF135E4AC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded




As you said, the backlight now works: backlight log:

04/20/06 21:53:38 [Info]: BlackLight Engine 1.0.35 initialized
04/20/06 21:53:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/20/06 21:53:39 [Note]: 7019 4
04/20/06 21:53:39 [Note]: 7005 0
04/20/06 21:54:25 [Note]: 7006 0
04/20/06 21:54:25 [Note]: 7022 0
04/20/06 21:54:25 [Note]: 7011 1864
04/20/06 21:54:25 [Note]: 7026 0
04/20/06 21:54:25 [Note]: 7026 0
04/20/06 21:54:25 [Note]: FSRAW library version 1.7.1015
04/20/06 21:54:54 [Info]: Hidden file: D:\RECYCLER\NPROTECT\NPROTECT.LOG
04/20/06 21:54:54 [Note]: 7002 0
04/20/06 21:54:54 [Note]: 7003 1
04/20/06 21:54:54 [Note]: 10002 3
04/20/06 21:54:54 [Note]: 10002 2
04/20/06 21:54:54 [Note]: 10002 2
04/20/06 21:57:03 [Info]: Hidden file: C:\RECYCLER\NPROTECT\NPROTECT.LOG
04/20/06 21:57:03 [Note]: 7002 0
04/20/06 21:57:03 [Note]: 7003 1
04/20/06 21:57:03 [Note]: 10002 3
04/20/06 21:57:03 [Note]: 10002 2
04/20/06 21:57:03 [Note]: 10002 2
04/20/06 21:59:22 [Note]: 7007 0

Edited by craynerd, 20 April 2006 - 04:04 PM.


#6 craynerd

craynerd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 20 April 2006 - 04:02 PM

and new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:00:17, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hjt\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://www.drd.dyndns.org/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127167247312
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/Check...PA.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A289E05-E554-4F1F-9ADF-C8761345C5B7}: NameServer = 212.74.114.129 212.74.112.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A289E05-E554-4F1F-9ADF-C8761345C5B7}: NameServer = 212.74.114.129 212.74.112.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe



I think thats everything you have asked me to do so far updated!

Chris

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:30 AM

Posted 21 April 2006 - 10:17 AM

Can I get you to run Panda again please and post the log, good job so far!
David

#8 craynerd

craynerd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 21 April 2006 - 03:15 PM

Incident Status Location

Adware:adware/purityscan Not disinfected C:\WINDOWS\SYSTEM32\wtssvtr.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Cray\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/commad Not disinfected C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.winfixer.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[www.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.rn11.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.888.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.xmts.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.overture.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.adviva.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.as1.falkag.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[server.iad.liveperson.net/hc/63152693]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[server.iad.liveperson.net/hc/63152693]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[.z1.adserver.com/]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr4463
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[63152693]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[63152693]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Cray\Application Data\Mozilla\Firefox\Profiles\5f457v94.default\cookies.txt[]
Adware:Adware/Yazzle Not disinfected C:\RECYCLER\S-1-5-21-1960408961-573735546-839522115-1003\Dc37.exe
Adware:Adware/DollarRevenue Not disinfected C:\RECYCLER\S-1-5-21-1960408961-573735546-839522115-1003\Dc38.exe
Adware:Adware/PurityScan Not disinfected C:\RECYCLER\S-1-5-21-1960408961-573735546-839522115-1003\Dc40.exe
Adware:Adware/DollarRevenue Not disinfected C:\RECYCLER\S-1-5-21-1960408961-573735546-839522115-1003\Dc41.exe
Adware:Adware/DollarRevenue Not disinfected C:\RECYCLER\S-1-5-21-1960408961-573735546-839522115-1003\Dc44.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Q2hyaXM\kZ1Vurg.vbs
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KZIBAHCP\ld[1].exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\e8202ifmg82a2.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\l28m0cl1efq.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\n88o0il3e8q.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\tbbyuv.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\?ppPatch\winword.exe



Hummm, should that look to me still be there! I have certainly followed the instrcutions to delete it and it looked like it had worked!

Chris

Edited by craynerd, 21 April 2006 - 03:18 PM.


#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:30 AM

Posted 21 April 2006 - 03:39 PM

Hi Chris!

Download KillBox from here
Unzip the folder to your desktop.
Don't run it yet.

* Start Killbox.exe
* Select the Delete on Reboot option.
* Click on the All Files button.
* Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\SYSTEM32\wtssvtr.exe
C:\Documents and Settings\Cray\Local Settings\Temporary Internet Files\Ssk.log
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon
C:\WINDOWS\Q2hyaXM
C:\WINDOWS\system32\e8202ifmg82a2.dll
C:\WINDOWS\system32\l28m0cl1efq.dll
C:\WINDOWS\system32\n88o0il3e8q.dll
C:\WINDOWS\system32\tbbyuv.dll


* Go to the File menu of Killbox, and choose Paste from Clipboard.
NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
* Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt. Click OK at any fPendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After the reboot please delete the following folder:

C:\WINDOWS\?ppPatch <--this folder is most likely named "appPatch", as the ? replaces a letter. There may be two folders in your "C:\WINDOWS" folder under the "appPatch" name but only delete the one which contains the file named "winword.exe".

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.]

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Also please post a new HJT log.
David

#10 craynerd

craynerd
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 24 April 2006 - 12:44 AM

Hi David,

I ran killer box and no errors or prompts came up. I just did as you asked and it ran straight through until the end.

Kaspersky Log:

Infected Object Name Virus Name Last Action
C:\!KillBox\e8202ifmg82a2.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\!KillBox\l28m0cl1efq.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\!KillBox\n88o0il3e8q.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\!KillBox\tbbyuv.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP194\A0037260.exe Infected: Backdoor.Win32.Rbot.adf skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP197\A0040376.exe Infected: Backdoor.Win32.Rbot.adf skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP214\A0052287.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP214\A0052300.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP216\A0052383.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP216\A0052422.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP216\A0052438.EXE Infected: Trojan-Downloader.Win32.Adload.aj skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP216\A0052439.exe Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP216\A0052463.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP216\A0052464.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP216\A0052504.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP216\A0052515.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP216\A0052520.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP218\A0052560.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP218\A0053583.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053609.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053615.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053619.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053620.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053633.exe Infected: Trojan-Downloader.Win32.PurityScan.cf skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053635.exe/data0006 Infected: Trojan-Downloader.Win32.PurityScan.cf skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053635.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053636.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053636.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053636.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053636.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP219\A0053636.exe CAB: infected - 4 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP220\snapshot\MFEX-66.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP221\A0053955.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP221\A0053957.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP221\snapshot\MFEX-66.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054268.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054269.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054270.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054271.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054272.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054274.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054275.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054277.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054281.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054282.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054288.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054289.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054290.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054292.exe Infected: Trojan-Dropper.Win32.PurityScan.ad skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054293.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054295.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054297.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054299.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054300.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054302.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054303.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054306.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054309.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054311.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054313.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054376.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054378.exe Infected: Trojan-Dropper.Win32.PurityScan.ad skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP225\A0054379.EXE Infected: Trojan-Downloader.Win32.PurityScan.cf skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP226\A0056827.dll Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP228\A0059050.dll Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP228\A0059051.dll Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP228\A0059052.exe Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP228\A0059053.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP228\A0059053.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP228\A0059053.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP228\A0059053.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP228\A0059053.exe CAB: infected - 4 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP229\A0060720.EXE Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP229\A0060721.EXE Infected: Backdoor.Win32.VB.ary skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP229\A0060722.EXE Infected: Trojan-Clicker.Win32.VB.mo skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061012.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061013.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061014.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061015.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061029.exe/data0006 Infected: Trojan-Downloader.Win32.PurityScan.cf skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061029.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061030.exe Infected: Trojan-Downloader.Win32.Adload.an skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061033.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061033.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061033.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061034.exe Infected: Trojan-Downloader.Win32.VB.aad skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061035.exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061035.exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061035.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061036.exe Infected: Trojan-Downloader.Win32.Adload.t skipped
C:\System Volume Information\_restore{F20888F1-945B-4B19-BE95-5CE7FBF2BDCA}\RP231\A0061064.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KZIBAHCP\ld[1].exe Infected: Trojan-Downloader.Win32.Adload.t skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q5I5S1S1\dot[1].exe/data0001 Infected: not-a-virus:AdWare.Win32.MediaTickets.x skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q5I5S1S1\dot[1].exe/data0002 Infected: Trojan-Dropper.Win32.PurityScan.af skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q5I5S1S1\dot[1].exe NSIS: infected - 2 skipped

and a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 06:42:56, on 24/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://www.drd.dyndns.org/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127167247312
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames/Check...PA.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A289E05-E554-4F1F-9ADF-C8761345C5B7}: NameServer = 212.74.114.129 212.74.112.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A289E05-E554-4F1F-9ADF-C8761345C5B7}: NameServer = 212.74.114.129 212.74.112.67
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:30 AM

Posted 24 April 2006 - 11:31 AM

Hello Chris.

The logs are looking much better and there are only a couple of things we have left to do.

Firstly please empty this folder:
C:\!KillBox

Next I want you to fix this suspicious entry in HJT:
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-p...-en/FlashAX.cab

Most entries in the Kaspersky log are infected restore points, which I will get you to purge when you give me the confirmation that you are pleased with the performance of the computer. Also, this entry:
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
...is just a false positive, so don't worry about it.

Please reboot and let me know how the system is running.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users