Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maybe God Hates Me (or Just My Computer)


  • Please log in to reply
5 replies to this topic

#1 Omnifire

Omnifire

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 25 April 2006 - 04:18 AM

After not being able to handle the built up problems I had just recieved on my computer, i decided to turn to reformatting to solve my problems. But, lo and behold, 5 minutes after reinstalling my modem, it seems my computer is now packed choca-block full of malware again. As i type, pop-ups are springing forward hiter and thither. Here is a HiJackThis Log, please help!

Logfile of HijackThis v1.99.1
Scan saved at 9:16:32 PM, on 4/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\System32\dcz.exe
C:\WINDOWS\System32\mscdconf.exe
C:\WINDOWS\System32\microsot3.exe
C:\DOCUME~1\Owner\MYDOCU~1\PPATCH~1\netdde.exe
C:\Program Files\M?crosoft.NET\?canregw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\systay.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{68D0FA9E-422F-3984-7905-39B6021AACC6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Windows Automatical Updater] dcz.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\Run: [Microsoft Configuration 34] microsot3.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Windows Automatical Updater] dcz.exe
O4 - HKLM\..\RunServices: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 34] microsot3.exe
O4 - HKCU\..\Run: [Windows Automatical Updater] dcz.exe
O4 - HKCU\..\Run: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKCU\..\Run: [Microsoft Configuration 34] microsot3.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Owner\MYDOCU~1\PPATCH~1\netdde.exe" -vt yazr
O4 - HKCU\..\Run: [Ryzys] C:\Program Files\M?crosoft.NET\?canregw.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-motor.net/cabs/joysaver.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{477DA7E9-F95A-45F5-9B9D-BCFA75B008C2}: NameServer = 203.96.152.4,203.96.152.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{477DA7E9-F95A-45F5-9B9D-BCFA75B008C2}: NameServer = 203.96.152.4,203.96.152.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{477DA7E9-F95A-45F5-9B9D-BCFA75B008C2}: NameServer = 203.96.152.4,203.96.152.12
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\hrlo0533e.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows System Tray - Unknown owner - C:\WINDOWS\systay.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:37 PM

Posted 25 April 2006 - 11:53 AM

Hello there,

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

* Open notepad and copy and paste next in it:

@ echo off
sc stop "Windows System Tray" > C:\directory.txt
sc delete "Windows System Tray" > C:\directory.txt
cd\
cd C:\Documents and Settings\Owner\My Documents
dir /x > C:\directory.txt
cd C:\Program Files
dir /x > C:\directory.txt
dir C:\Program Files\M?crosoft.NET\?canregw.exe /a h > C:\directory.txt
start C:\directory.txt
exit

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here.


* Download KillBox from here
Unzip the folder to your desktop.
Don't run it yet.

* Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Start Killbox.exe
* Select the Delete on Reboot option.
* Click on the All Files button.
* Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\System32\dcz.exe
C:\WINDOWS\System32\mscdconf.exe
C:\WINDOWS\System32\microsot3.exe
C:\WINDOWS\system32\hrlo0533e.dll
C:\WINDOWS\systay.exe
C:\WINDOWS\system32\hrlo0533e.dll


* Go to the File menu of Killbox, and choose Paste from Clipboard.
NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
* Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt. Click OK at any fPendingFileRenameOperations prompt (and please let me know if you receive this message!).

When you reboot please Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{68D0FA9E-422F-3984-7905-39B6021AACC6} - (no file)
O4 - HKLM\..\Run: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\Run: [Microsoft Configuration 34] microsot3.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\RunServices: [Windows Automatical Updater] dcz.exe
O4 - HKLM\..\RunServices: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 34] microsot3.exe
O4 - HKLM\..\RunServices: [Windows Automatical Updater] dcz.exe
O4 - HKLM\..\RunServices: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configuration 34] microsot3.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Owner\MYDOCU~1\PPATCH~1\netdde.exe" -vt yazr
O4 - HKCU\..\Run: [Ryzys] C:\Program Files\M?crosoft.NET\?canregw.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-motor.net/cabs/joysaver.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\hrlo0533e.dll
O23 - Service: Windows System Tray - Unknown owner - C:\WINDOWS\systay.exe


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

* Open Ewido anti-malware
Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

* Please reboot back to normal mode and Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.

Please post a new Hijackthis log and the ewido log, along wiith the Look2Me-Destroyer log and the results from the look.bat.

David

Edited by D-Trojanator, 25 April 2006 - 11:54 AM.


#3 Omnifire

Omnifire
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 25 April 2006 - 06:57 PM

Hello, boy was that an exhausting process. Anyway, here are the logs. Oddly enought though, the notepad generated by look.bat was blank. I hope you get less of a headache reading these logs then I did in any case. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 11:51:08 AM, on 4/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\..\{477DA7E9-F95A-45F5-9B9D-BCFA75B008C2}: NameServer = 203.96.152.4,203.96.152.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{477DA7E9-F95A-45F5-9B9D-BCFA75B008C2}: NameServer = 203.96.152.4,203.96.152.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{477DA7E9-F95A-45F5-9B9D-BCFA75B008C2}: NameServer = 203.96.152.4,203.96.152.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:39:18 AM, 4/26/2006
+ Report-Checksum: B5E721E3

+ Scan result:

[604] C:\WINDOWS\system32\dgmasf.dll -> Adware.Look2Me : Error during cleaning
[728] C:\WINDOWS\system32\dgmasf.dll -> Adware.Look2Me : Error during cleaning
C:\!KillBox\dcz.exe -> Backdoor.Rbot : Cleaned with backup
C:\!KillBox\dcz.exe( 4) -> Backdoor.Rbot : Cleaned with backup
C:\!KillBox\systay.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\!KillBox\systay.exe( 1) -> Backdoor.SdBot.xd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2TPXEQ5B\gimmysmileys[1].exe -> Adware.180Solutions : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\452JW5QF\hdisk[1].exe/drsmartload195a.exe -> Downloader.Adload.ap : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\452JW5QF\hdisk[1].exe/elitem.exe -> Trojan.LowZones.cr : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZIEF0R7\hdisk[1].exe/drsmartload195a.exe -> Downloader.Adload.ap : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZIEF0R7\hdisk[1].exe/elitem.exe -> Trojan.LowZones.cr : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\L00UOUO1\gimmysmileys[1].exe -> Adware.180Solutions : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g5r9fc4d.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ICD1.tmp\amm06.ocx -> Downloader.VB.bo : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr5A96 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr788F -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0E92UHUV\mmxbabysandra[1].exe -> Downloader.VB.jl : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0E92UHUV\zo[1].exe/mmxxxxmas2.exe -> Downloader.VB.jl : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0E92UHUV\zo[1].exe/themasterz.exe -> Hijacker.Small.hh : Cleaned with backup
C:\WINDOWS\amm06.ocx -> Downloader.VB.bo : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Downloader.VB.bo : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\amm06.ocx -> Downloader.VB.bo : Cleaned with backup
C:\WINDOWS\gimmysmileys.exe -> Adware.180Solutions : Cleaned with backup
C:\WINDOWS\hdisk.exe/drsmartload195a.exe -> Downloader.Adload.ap : Cleaned with backup
C:\WINDOWS\hdisk.exe/elitem.exe -> Trojan.LowZones.cr : Cleaned with backup
C:\WINDOWS\mdrive\drsmartload195a.exe -> Downloader.Adload.ap : Cleaned with backup
C:\WINDOWS\mdrive\elitem.exe -> Trojan.LowZones.cr : Cleaned with backup
C:\WINDOWS\mdrive\mediam.exe -> Trojan.LowZones.cr : Cleaned with backup
C:\WINDOWS\mdrive\my.exe -> Downloader.VB.abs : Cleaned with backup
C:\WINDOWS\newname14.exe -> Downloader.VB.ri : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BBKT3O8U\zo[1].exe/mmxxxxmas2.exe -> Downloader.VB.jl : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BBKT3O8U\zo[1].exe/themasterz.exe -> Hijacker.Small.hh : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IK7122KH\mmxbabysandra[1].exe -> Downloader.VB.jl : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IK7122KH\sysdir[1].exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\krdit142.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lvl0093me.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\q4psle771h.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\webhdll.dll_tobedeleted -> Adware.WebHancer : Cleaned with backup


::Report End


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/26/2006 11:48:02 AM

Infected! C:\WINDOWS\system32\hr0m05d1e.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0002097.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0002107.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0003106.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0003110.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004183.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004203.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004204.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004225.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004226.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004238.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004244.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004257.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004258.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004259.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004261.dll
Infected! C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004268.dll
Infected! C:\WINDOWS\system32\hr0m05d1e.dll
Infected! C:\WINDOWS\system32\ir46l5hs1.dll
Infected! C:\WINDOWS\system32\owecli.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\hr0m05d1e.dll
C:\WINDOWS\system32\hr0m05d1e.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0002097.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0002097.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0002107.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0002107.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0003106.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0003106.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0003110.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP1\A0003110.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004183.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004183.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004203.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004203.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004204.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004204.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004225.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004225.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004226.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004226.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004238.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004238.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004244.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004244.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004257.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004257.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004258.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004258.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004259.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004259.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004261.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004261.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004268.dll
C:\System Volume Information\_restore{31CD3BD6-D69D-4C60-87F4-F453E4C2F9B1}\RP2\A0004268.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr0m05d1e.dll
C:\WINDOWS\system32\hr0m05d1e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir46l5hs1.dll
C:\WINDOWS\system32\ir46l5hs1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\owecli.dll
C:\WINDOWS\system32\owecli.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{435220EA-634F-431C-B0D5-2EDEC646E035}"
HKCR\Clsid\{435220EA-634F-431C-B0D5-2EDEC646E035}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EEE082C7-8F3A-4721-BD11-336618320697}"
HKCR\Clsid\{EEE082C7-8F3A-4721-BD11-336618320697}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:37 PM

Posted 26 April 2006 - 10:55 AM

Hey there!

You did all that really well and all the infection is now gone. The batch I asked you to run didn't work because I got it slightly wrong, but i've adpated it to make it work. Although the infection you had is gone, I imagine that the folders are still lingering on your system.

Open notepad and copy and paste next in it:

@ echo off
cd\
cd C:\Documents and Settings\Owner\My Documents
dir /x > C:\directory2.txt
cd C:\Program Files
dir >> C:\directory2.txt
start C:\directory2.txt
exit

Save this as look.batChoose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here.

David

#5 Omnifire

Omnifire
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 26 April 2006 - 11:20 PM

Sorry about the late reply. I've been having trouble finding this topic. Anyway, here is the notepad you wanted.

Volume in drive C has no label.
Volume Serial Number is F41C-FD9F

Directory of C:\Documents and Settings\Owner\My Documents

04/27/2006 01:48 PM <DIR> .
04/27/2006 01:48 PM <DIR> ..
04/25/2006 08:05 PM 2,855,080 AAWSEP~1.EXE aawsepersonal.exe
04/26/2006 11:25 AM <DIR> backups
04/27/2006 01:37 PM 6,883,122 BITTOR~1.EXE BitTorrent-Stable.exe
04/26/2006 11:09 AM 7,984,736 EWIDO-~1.EXE ewido-setup.exe
04/25/2006 06:55 PM 5,113,904 FIREFO~1.EXE Firefox Setup 1[1].5.0.2.exe
04/25/2006 09:21 PM 1,334,520 GOOGLE~1.EXE googletalk-setup.exe
02/16/2005 11:06 AM 218,112 HIJACK~1.EXE HijackThis.exe
04/26/2006 11:51 AM 2,069 HIJACK~1.LOG hijackthis.log
04/25/2006 09:02 PM 212,849 HIJACK~1.ZIP hijackthis.zip
04/25/2006 09:26 PM 9,409,224 INSTAL~1.EXE Install_MSN_Messenger.exe
04/26/2006 11:05 AM 70,487 KillBox.zip
04/26/2006 11:03 AM 344 look.bat
04/26/2006 11:48 AM 6,818 LOOK2M~1.TXT Look2Me-Destroyer.txt
04/25/2006 05:22 PM <DIR> MYMUSI~1 My Music
04/27/2006 01:08 PM <DIR> MYPICT~1 My Pictures
04/25/2006 11:27 PM 156 prepatch.log
04/26/2006 11:39 AM 17,722 SCANRE~1.TXT Scan report_20060426.txt.txt
04/25/2006 08:35 PM 7,428,200 sdsetup.exe
04/25/2006 07:12 PM 5,037,072 SPYBOT~1.EXE spybotsd14.exe
04/25/2006 11:00 PM 51,017,594 WAR3TF~2.EXE War3TFT_120c_English.exe
04/25/2006 10:43 PM 682,293 WAR3TF~1.EXE War3TFT_120c_to_120d_English.exe
04/25/2006 08:37 PM 3,649,560 YTOOLB~1.EXE ytoolbar_setup.exe
04/25/2006 06:55 PM 10,537,576 ZLSSET~1.EXE zlsSetup_61_737_000_en.exe
04/25/2006 08:13 PM 10,523,240 ZLSSET~2.EXE zlsSetup_61_744_001_en.exe
04/25/2006 06:44 PM <DIR> PPATCH~1 ??pPatch
21 File(s) 122,984,678 bytes
6 Dir(s) 36,599,136,256 bytes free
Volume in drive C has no label.
Volume Serial Number is F41C-FD9F

Directory of C:\Program Files

04/27/2006 04:08 PM <DIR> .
04/27/2006 04:08 PM <DIR> ..
04/27/2006 04:08 PM <DIR> Analog Devices
04/27/2006 01:38 PM <DIR> BitTorrent
04/25/2006 11:19 PM <DIR> Common Files
04/26/2006 07:37 PM <DIR> CONEXANT
04/26/2006 12:28 PM <DIR> DivX
04/26/2006 11:26 AM <DIR> ewido anti-malware
04/25/2006 09:21 PM <DIR> Google
04/25/2006 11:25 PM <DIR> internet explorer
04/25/2006 08:06 PM <DIR> Lavasoft
04/25/2006 05:10 PM <DIR> Messenger
04/25/2006 11:25 PM <DIR> microsoft frontpage
04/25/2006 05:12 PM <DIR> Movie Maker
04/27/2006 04:12 PM <DIR> Mozilla Firefox
04/25/2006 05:10 PM <DIR> MSN
04/25/2006 05:10 PM <DIR> MSN Gaming Zone
04/25/2006 09:28 PM <DIR> MSN Messenger
04/25/2006 11:07 PM <DIR> M?crosoft.NET
04/25/2006 05:12 PM <DIR> NetMeeting
04/25/2006 09:07 PM <DIR> Online Services
04/25/2006 05:12 PM <DIR> Outlook Express
04/25/2006 07:22 PM <DIR> Spybot - Search & Destroy
04/27/2006 12:51 PM <DIR> Warcraft III
04/25/2006 05:22 PM <DIR> Windows Media Player
04/25/2006 05:10 PM <DIR> Windows NT
04/25/2006 05:18 PM <DIR> xerox
04/25/2006 08:49 PM <DIR> Yahoo!
04/25/2006 06:57 PM <DIR> Zone Labs
0 File(s) 0 bytes
29 Dir(s) 36,599,136,256 bytes free

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:37 PM

Posted 27 April 2006 - 10:58 AM

Hi there Omnifire,

The results you posted are just what I wanted to see. The infection you have is PurityScan, which does a pretty nasty trick of useing ? question marks to hide letters of folders. We have to delete a rogue folders in your C:\Documents and Settings\Owner\My Documents folder. Please navigate to this folder now.
The folders you are looking for do not actually have question marks in them when you see them in the folder, and will have a letter in place of them. So I want you to find and delete the following folders in your C:\Documents and Settings\Owner\My Documents directory:

??pPatch <--most likely to be 'appPatch'

So the question mark will be replaced by a letter that most likely creates a work. Eg in ??pPatch the questions marks will most likely hide the 'a' and the 'p' to make the folder name appPatch. If you get two folders under the same name, eg if you find two folders named "appPatch" then please leave them and let me know those folder names.
Next I want you to find and delete the following folders in your C:\Program Files directory:

M?crosoft.NET <--most likely to be 'Microsoft.NET
...again if you have two leave them and let me know.

I'm pretty sure you won't find any duplicated but let me know if you do. This infection is pretty new so i'm still getting used to it, so if you don't really understand then let me know and i'll get someone to try and explain it a bit better for you :thumbsup:
If you can't find any of the folders, don't worry and just let me know.
Now please delete this file:
C:\directory2.txt
After doing all you can please reboot your computer and post back with a new Hijackthis log and also run that customised batch I got you to run in the fourth (#4) post (look.bat).

Good luck, David.

Edited by D-Trojanator, 27 April 2006 - 10:59 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users