Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Toolbar888


  • This topic is locked This topic is locked
5 replies to this topic

#1 orangecrush

orangecrush

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 23 June 2006 - 09:55 AM

Hi,
I have a laptop with Mcafee and spybot (spybot installed later), I probably unknowingly installed Freeprodtb. The pc since then has been infected by the following:

1)Vundo (Ran FixVundo, but still present as per Mcafee)
2)7FaSSt (Spybot cannot clean this)
3) BookedSpace (Spybot cannot clean this)
4)CoolWWWSearch (Spybot clears it but it re-appears)
5)MaxSearch (Spybot clears it but it re-appears)
6)Pacimedia (Spybot clears it but it re-appears)
7)Zeno (Spybot clears it but it re-appears)

6)A icon has been installed in the system tray and it throws up an annoying pop-up very regularly "Your pc is in Danger. Windows Security Tool has detected spywares........ " something to that effect


The following are the problems I am facing
1) My pc has slowed down
2) I cannot shutdown / logoff, have to use the power button
3) Deluge of Pop-ups that escape the pop-up blocker
4) I am not able to uninstall ToolBar888 using the Control Panel>Add / Remove
5) Spybot does not run on windows startup
6) I am not able to boot in safe mode for some reason, have a IBM thinkpad T42
Here is the Hijackthis log below, please help/advise asap, have had 3 days of agony with this.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:49:13 PM, on 6/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\update\updmangr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\dfndra.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\53eeb483.exe
C:\WINDOWS\cfg32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\ADMINI~1.IBM\MYDOCU~1\FNTS~1\JVAW~1.EXE
C:\PROGRA~1\COMMON~1\uqmu\uqmum.exe
C:\Windows\xpupdate.exe
C:\Program Files\TClock\TClock.exe
C:\PROGRA~1\COMMON~1\uqmu\uqmua.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJ\new\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Update Manager Tool] C:\WINDOWS\update\updmangr.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe
O4 - HKLM\..\Run: [defender] C:\\dfndra.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinmqez.exe GID003
O4 - HKLM\..\Run: [53eeb483.exe] C:\WINDOWS\System32\53eeb483.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [utasvc] rundll32.exe C:\WINDOWS\System32\utasvc.dll,start
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Uahe] "C:\WINDOWS\System32\SKS~1\dllhost.exe" -vt yazr
O4 - HKCU\..\Run: [Advistp] C:\DOCUME~1\ADMINI~1.IBM\MYDOCU~1\FNTS~1\JVAW~1.EXE
O4 - HKCU\..\Run: [uqmu] C:\PROGRA~1\COMMON~1\uqmu\uqmum.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [53eeb483.exe] C:\Documents and Settings\Administrator.IBM-9FC219063D1\Local Settings\Application Data\53eeb483.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinmqez.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\System32\x3cqp0.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: awvsp - awvsp.dll (file missing)
O20 - Winlogon Notify: byxvs - byxvs.dll (file missing)
O20 - Winlogon Notify: byxvv - C:\WINDOWS\System32\byxvv.dll (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\kydth0.dll
O20 - Winlogon Notify: qopno - qopno.dll (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\Twawbrkr.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - C:\WINDOWS\update\updmangr.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:40 PM

Posted 23 June 2006 - 10:33 AM

Welcome aboard.. :thumbsup:

Please download Look2Me-Destroyer to your desktop.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt in your next reply..
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Then:

Please download FixAbwiz.exe to your desktop:
  • Please reboot into Safe Mode.
  • Double-click FixAbwiz.exe and let it run.
  • When the tool is ready, it will produce a log.
  • Reboot into normal Windows and post back with that log aswell as a fresh HijackThis log along with the contents of C:\Look2Me-Destroyer.txt. :flowers:

Hi there, stranger!

#3 orangecrush

orangecrush
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 23 June 2006 - 01:32 PM

Hi Rawe,
I followed the instructions with both Look2me and FixAbwiz including the safe mode boot.
The pop-ups seem to have stopped but still have ToolBar888 installed and the icon "Windows Security Alert" is still in the systray.
Also Mcafee on-access demand showed couple of files infected by Vundo (deleted) & GenericDownloader.ab
Here are the logs below, please advise.

Thanks


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/23/2006 10:48:37 PM

Infected! C:\WINDOWS\system32\kydth0.dll
Infected! C:\WINDOWS\system32\Twawbrkr.dll
Infected! C:\WINDOWS\system32\dNd8.dll
Infected! C:\WINDOWS\system32\dpcpmon.dll
Infected! C:\WINDOWS\system32\en8ul1l91.dll
Infected! C:\WINDOWS\system32\fpl2033oe.dll
Infected! C:\WINDOWS\system32\h04mlah11d4.dll
Infected! C:\WINDOWS\system32\hrls0537e.dll
Infected! C:\WINDOWS\system32\irr2l59o1.dll
Infected! C:\WINDOWS\system32\jhsh400.dll
Infected! C:\WINDOWS\system32\jt6407jqe.dll
Infected! C:\WINDOWS\system32\jt6o07j3e.dll
Infected! C:\WINDOWS\system32\k4260efseh260.dll
Infected! C:\WINDOWS\system32\kjdfa.dll
Infected! C:\WINDOWS\system32\kydth0.dll
Infected! C:\WINDOWS\system32\lv0q09d5e.dll
Infected! C:\WINDOWS\system32\lxrt.dll
Infected! C:\WINDOWS\system32\mBpi32.dll
Infected! C:\WINDOWS\system32\mrcndmgr.dll
Infected! C:\WINDOWS\system32\mwwebdvd.dll
Infected! C:\WINDOWS\system32\mzcoree.dll
Infected! C:\WINDOWS\system32\n44s0eh7eh4.dll
Infected! C:\WINDOWS\system32\rmgapi.dll
Infected! C:\WINDOWS\system32\rWstapi.dll
Infected! C:\WINDOWS\system32\s0pu0a79ed.dll
Infected! C:\WINDOWS\system32\sansapi.dll
Infected! C:\WINDOWS\system32\takwks.dll
Infected! C:\WINDOWS\system32\uynpui.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\kydth0.dll
C:\WINDOWS\system32\kydth0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dNd8.dll
C:\WINDOWS\system32\dNd8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dpcpmon.dll
C:\WINDOWS\system32\dpcpmon.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en8ul1l91.dll
C:\WINDOWS\system32\en8ul1l91.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fpl2033oe.dll
C:\WINDOWS\system32\fpl2033oe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\h04mlah11d4.dll
C:\WINDOWS\system32\h04mlah11d4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrls0537e.dll
C:\WINDOWS\system32\hrls0537e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\irr2l59o1.dll
C:\WINDOWS\system32\irr2l59o1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jhsh400.dll
C:\WINDOWS\system32\jhsh400.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jt6407jqe.dll
C:\WINDOWS\system32\jt6407jqe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jt6o07j3e.dll
C:\WINDOWS\system32\jt6o07j3e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k4260efseh260.dll
C:\WINDOWS\system32\k4260efseh260.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kjdfa.dll
C:\WINDOWS\system32\kjdfa.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kydth0.dll
C:\WINDOWS\system32\kydth0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lv0q09d5e.dll
C:\WINDOWS\system32\lv0q09d5e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lxrt.dll
C:\WINDOWS\system32\lxrt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mBpi32.dll
C:\WINDOWS\system32\mBpi32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mrcndmgr.dll
C:\WINDOWS\system32\mrcndmgr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mwwebdvd.dll
C:\WINDOWS\system32\mwwebdvd.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mzcoree.dll
C:\WINDOWS\system32\mzcoree.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n44s0eh7eh4.dll
C:\WINDOWS\system32\n44s0eh7eh4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rmgapi.dll
C:\WINDOWS\system32\rmgapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rWstapi.dll
C:\WINDOWS\system32\rWstapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\s0pu0a79ed.dll
C:\WINDOWS\system32\s0pu0a79ed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sansapi.dll
C:\WINDOWS\system32\sansapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\takwks.dll
C:\WINDOWS\system32\takwks.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uynpui.dll
C:\WINDOWS\system32\uynpui.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E274DDB6-9713-49D2-863B-17BC4C41BCC6}"
HKCR\Clsid\{E274DDB6-9713-49D2-863B-17BC4C41BCC6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{76D3D614-6E57-4511-8A52-FD703C8C15BC}"
HKCR\Clsid\{76D3D614-6E57-4511-8A52-FD703C8C15BC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
_________________________________________________________________________________________

Symantec Trojan.Abwiz.F Removal Tool 1.0.0

Trojan.Abwiz.F has not been found on your computer.
_________________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 11:53:30 PM, on 6/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\update\updmangr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\dfndra.exe
C:\WINDOWS\System32\53eeb483.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\ADMINI~1.IBM\MYDOCU~1\FNTS~1\JVAW~1.EXE
C:\PROGRA~1\COMMON~1\uqmu\uqmum.exe
C:\Windows\xpupdate.exe
C:\Program Files\TClock\TClock.exe
C:\PROGRA~1\COMMON~1\uqmu\uqmua.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\cfg32a.exe
C:\PROGRA~1\COMMON~1\uqmu\uqmul.exe
C:\HJ\new\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Update Manager Tool] C:\WINDOWS\update\updmangr.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe
O4 - HKLM\..\Run: [defender] C:\\dfndra.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinmqez.exe GID003
O4 - HKLM\..\Run: [53eeb483.exe] C:\WINDOWS\System32\53eeb483.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [utasvc] rundll32.exe C:\WINDOWS\System32\utasvc.dll,start
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Uahe] "C:\WINDOWS\System32\SKS~1\dllhost.exe" -vt yazr
O4 - HKCU\..\Run: [Advistp] C:\DOCUME~1\ADMINI~1.IBM\MYDOCU~1\FNTS~1\JVAW~1.EXE
O4 - HKCU\..\Run: [uqmu] C:\PROGRA~1\COMMON~1\uqmu\uqmum.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [53eeb483.exe] C:\Documents and Settings\Administrator.IBM-9FC219063D1\Local Settings\Application Data\53eeb483.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinmqez.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\System32\x3cqp0.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: awvsp - awvsp.dll (file missing)
O20 - Winlogon Notify: byxvs - byxvs.dll (file missing)
O20 - Winlogon Notify: byxvv - C:\WINDOWS\System32\byxvv.dll (file missing)
O20 - Winlogon Notify: qopno - qopno.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - C:\WINDOWS\update\updmangr.exe

#4 orangecrush

orangecrush
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 23 June 2006 - 01:45 PM

Correction, the pop-ups are back, so is freepod. :thumbsup:

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:40 PM

Posted 23 June 2006 - 08:30 PM

Expectable, these were just starting fixes, there's a lot of stuff there. :thumbsup:

Go ahead and delete FixAbwiz.exe & Look2Me-Destroyer.

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download and run this uninstaller:

http://www.outerinfo.com/OiUninstaller.exe

==

Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
  • IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post back with the Ewido results. :flowers:

Hi there, stranger!

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:40 PM

Posted 03 July 2006 - 10:32 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users