Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Ads.adfirstsolution


  • Please log in to reply
1 reply to this topic

#1 noobie24

noobie24

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 22 April 2006 - 10:16 PM

I try some of the solution from other topic but still not working for me

Number 1 problem is continues popups
My mine concern is this files

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tdlbd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,fyrfnli.exe
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\hrls0537e.dll

Full Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 10:08:51 PM, on 4/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\khanh\Desktop\belkin router\New Folder\Webroot Spy Sweeper v3.0-Fosi__WORK___\fo-wss3\SpySweeper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rokanova.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rokanova.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.5\THGuard.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O15 - Trusted Zone: *.boxsearch.net
O15 - Trusted Zone: *.brdatahost.com
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145319951021
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\hrls0537e.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

After using ewido anti-malware

I cant seem to get rid of this file

C:\WINDOWS\system32\cEpesnpn.dll -> Adware.Look2Me


Full scanned and cleaned files. This log might help speed up the process

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:07:22 PM, 4/22/2006
+ Report-Checksum: ABA18A48

+ Scan result:

[1916] C:\WINDOWS\system32\cEpesnpn.dll -> Adware.Look2Me : Cleaned without backup
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned without backup
C:\WINDOWS\ejypkexA.exe -> Hijacker.VB.ij : Cleaned without backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned without backup
C:\WINDOWS\system32\ikm32.dll -> Adware.Look2Me : Cleaned without backup
C:\WINDOWS\system32\whiprop.dll -> Adware.Look2Me : Cleaned without backup
C:\WINDOWS\system32\winlogi.exe -> Backdoor.Rbot.afu : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@counter2.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned without backup
C:\WINDOWS\TEMP\Cookies\khanh@zedo[1].txt -> TrackingCookie.Zedo : Cleaned without backup
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\F7EXGHR4\xpladv438[1].wmf -> Exploit.MS05-053-WMF : Cleaned without backup
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\NQN3KOY0\bag[1].htm -> Not-A-Virus.Exploit.JS.CVE20051790.j : Cleaned without backup
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\NQN3KOY0\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned without backup
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\NQN3KOY0\rcverlib[3].exe -> Downloader.Qoologic.ax : Cleaned without backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned without backup
C:\WINDOWS\V2FycmlvcnM\asappsrv.dll -> Adware.CommAd : Cleaned without backup
C:\Documents and Settings\khanh\Cookies\khanh@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned without backup
C:\Documents and Settings\khanh\Cookies\khanh@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned without backup
C:\Documents and Settings\khanh\Cookies\khanh@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned without backup

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:22 AM

Posted 23 April 2006 - 04:50 AM

Hi noobie24!

You have quite a few infections running at this time. I see you had a Qoologic infection, but managed to remove it, but I want to check if there are any left over files.

*Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

* Download FindQool.zip save it to your C:\.
http://downloads.subratam.org/Lon/FindQool.zip

Extract (unzip) the files inside into their own folder called FindQool.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html

This folder should be present on your C:\
In case it's not present there, move the FindQool folder to C:\ otherwise it won't work.
Then open the FindQool folder.
Locate and double-click the Qlocate.bat file to run it.

This will scan your system.
Wait until a text opens.
Post this in your next reply

Please post back with the two logs and a new Hijackthis log.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users