Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogin Notify Spyware


  • This topic is locked This topic is locked
4 replies to this topic

#1 nitzany

nitzany

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 20 May 2006 - 05:03 AM

Hello, I have problem of popus .

Logfile of HijackThis v1.99.1
Scan saved at 12:57:50, on 20/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4FBAAC2-A27F-4444-9E0B-A34179CA122D}: NameServer = 212.150.48.169,206.49.94.134
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\m628lgfu1628.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


The problematic one is :

O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\m628lgfu1628.dll

I tried to fix it and failed.

What should I do?

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:23 PM

Posted 20 May 2006 - 07:31 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 nitzany

nitzany
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 20 May 2006 - 07:48 AM

First of all thanks a lot.

Here is the Look2Me-Destroyer log :
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/20/2006 3:36:09 PM

Infected! C:\WINDOWS\system32\m628lgfu1628.dll
Infected! C:\WINDOWS\system32\tzrmmgr.dll
Infected! C:\WINDOWS\system32\wzw32.dll
Infected! C:\WINDOWS\system32\nutui2.dll
Infected! C:\WINDOWS\system32\kddda.dll
Infected! C:\WINDOWS\system32\ani2dvag.dll
Infected! C:\WINDOWS\system32\hrp6057se.dll
Infected! C:\WINDOWS\system32\i4lo0e33eh.dll
Infected! C:\WINDOWS\system32\h0l2la3o1d.dll
Infected! C:\WINDOWS\system32\m628lgfu1628.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP485\A0066752.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP486\A0066764.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP486\A0066791.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065633.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065641.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065558.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065560.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065575.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065591.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP487\A0066800.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP487\A0066819.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP488\A0066839.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066859.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066965.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066938.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066955.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066973.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066977.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066981.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066986.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066991.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066997.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067002.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067006.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067034.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067038.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065649.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065651.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065660.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065685.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0066693.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP482\A0066704.dll
Infected! C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP484\A0066729.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\m628lgfu1628.dll
C:\WINDOWS\system32\m628lgfu1628.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\tzrmmgr.dll
C:\WINDOWS\system32\tzrmmgr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wzw32.dll
C:\WINDOWS\system32\wzw32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nutui2.dll
C:\WINDOWS\system32\nutui2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kddda.dll
C:\WINDOWS\system32\kddda.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ani2dvag.dll
C:\WINDOWS\system32\ani2dvag.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrp6057se.dll
C:\WINDOWS\system32\hrp6057se.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\i4lo0e33eh.dll
C:\WINDOWS\system32\i4lo0e33eh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\h0l2la3o1d.dll
C:\WINDOWS\system32\h0l2la3o1d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\m628lgfu1628.dll
C:\WINDOWS\system32\m628lgfu1628.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP485\A0066752.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP485\A0066752.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP486\A0066764.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP486\A0066764.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP486\A0066791.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP486\A0066791.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065633.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065633.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065641.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065641.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065558.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065558.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065560.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065560.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065575.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065575.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065591.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP479\A0065591.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP487\A0066800.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP487\A0066800.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP487\A0066819.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP487\A0066819.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP488\A0066839.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP488\A0066839.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066859.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066859.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066965.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066965.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066938.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066938.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066955.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066955.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066973.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066973.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066977.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066977.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066981.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066981.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066986.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066986.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066991.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066991.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066997.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0066997.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067002.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067002.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067006.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067006.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067034.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067034.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067038.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP490\A0067038.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065649.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065649.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065651.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065651.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065660.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065660.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065685.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0065685.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0066693.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP480\A0066693.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP482\A0066704.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP482\A0066704.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP484\A0066729.dll
C:\System Volume Information\_restore{0FA33391-01AA-4BA6-9FB2-A256E79081ED}\RP484\A0066729.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D3E857FE-C0AD-4665-B6DB-4466509D8956}"
HKCR\Clsid\{D3E857FE-C0AD-4665-B6DB-4466509D8956}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9C6BB52A-632E-4A90-83B3-7D22DEE6C147}"
HKCR\Clsid\{9C6BB52A-632E-4A90-83B3-7D22DEE6C147}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7800728F-F827-4FFF-AD4D-641C41E5BBC5}"
HKCR\Clsid\{7800728F-F827-4FFF-AD4D-641C41E5BBC5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{09FC5D26-14EE-4AF3-BDC4-008A9FBA0A0E}"
HKCR\Clsid\{09FC5D26-14EE-4AF3-BDC4-008A9FBA0A0E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BFD6DABD-AA7E-4990-9BB6-31623A9BC4B2}"
HKCR\Clsid\{BFD6DABD-AA7E-4990-9BB6-31623A9BC4B2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{090B5958-BF95-4209-9C51-2D26B6807D1C}"
HKCR\Clsid\{090B5958-BF95-4209-9C51-2D26B6807D1C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{25704142-98C8-44D3-A782-A14EAC2DE121}"
HKCR\Clsid\{25704142-98C8-44D3-A782-A14EAC2DE121}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{666723EE-392B-4D77-BFC7-9A63EB9BFCD7}"
HKCR\Clsid\{666723EE-392B-4D77-BFC7-9A63EB9BFCD7}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded



Logfile of HijackThis v1.99.1


Scan saved at 15:44:27, on 20/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4FBAAC2-A27F-4444-9E0B-A34179CA122D}: NameServer = 212.150.48.169,206.49.94.134
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

When my computer turned on i got a error message about winlogon.exe,Is it ok?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:23 PM

Posted 20 May 2006 - 01:21 PM

Your log looks pretty good, but it is unusual not to show any 04 lines. Those are programs that startup automatically. Some programs you want to do that, like your antivirus for example.

Have you fixed some of those lines yourself with Hijackthis? Or are you controlling your startup items with msconfig?

What does the error message say exactly?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:23 PM

Posted 06 June 2006 - 09:06 AM

This topic has been closed due to a lack of response. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users