Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Look2me Spyware


  • This topic is locked This topic is locked
48 replies to this topic

#1 dimatt

dimatt

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 July 2006 - 12:21 AM

Ad-aware always comes up with 'Adware.Look2Me' and a few tracking cookies everytime I run a scan, even after reboot. Spybot S&D as well always comes up with 'Look2Me.Topconverting' at every scan as well as a random tracking cookie, again even after reboot.


---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:07:11 AM, on 06/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
G:\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\DOCUME~1\matt\MYDOCU~1\SSTEM3~1\lsass.exe
C:\Documents and Settings\matt\Application Data\??sks\??xplore.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\svchost.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINNT\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,cdhcdad.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [watwxgcA] C:\WINNT\watwxgcA.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Tnea] "C:\DOCUME~1\matt\MYDOCU~1\SSTEM3~1\lsass.exe" -vt ndrv
O4 - HKCU\..\Run: [Lgk] C:\Documents and Settings\matt\Application Data\??sks\??xplore.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Background Monitor.lnk = F:\Program Files\esm2\STMS.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...790/mcfscan.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\matt\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\Software\..\Telephony: DomainName = +s
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINNT\system32\jtr8079ue.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


---------------------------------

Thanks for any help.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 PM

Posted 06 July 2006 - 09:11 AM

Hello, this is a nasty log :thumbsup:

It is important you don't miss a step and perform everything in the right order!!

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

Please download E2TakeOut by Rubber Ducky from here:

http://www.malwarebytes.org/E2TakeOut.zip
  • Extract the file to your Desktop
  • Double click E2TakeOut.exe
  • Click the Begin Removal button
  • Wait until the program is finished scanning
  • Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
  • Reboot your computer
  • Once your computer has rebooted E2TakeOut will open and produce a report. I need that report later.
* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

-------------------------

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from E2TakeOut
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 dimatt

dimatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 July 2006 - 04:58 PM

Hi, thank you for your fast reply!. When I ran combofix.exe it said that found the Inactive Look2Me then prepared to remove it, listed a bunch of infected files then said it couldn't find 2 registry files and it quickly rebooted. After reboot it went through the process again, and again it said it couldn't fnid 2 registry files (it didn't list them this time) and quickly rebooted. It kept doing this so I aborted the program after the third cycle, so I don't have a log file for it. Should try again?


Here's the E2TakeOut log file:

E2TakeOut v1.01 [http://www.malwarebytes.org]

Removed orphaned leftovers
AppInit key reset

-------------

Here's my new HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 5:53:35 PM, on 06/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\iTunes\iTunesHelper.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: UserInit=userinit.exe,cdhcdad.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [watwxgcA] C:\WINNT\watwxgcA.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Registry Booster\RegistryBooster.exe /S
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Background Monitor.lnk = F:\Program Files\esm2\STMS.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...790/mcfscan.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\matt\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\Software\..\Telephony: DomainName = +s
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


-------------


Again thank you for all of the help! I had know idea how nasty my log file was. Spybot & Ad-aware both said that they removed everything that you listed before the Look2Me :thumbsup:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 PM

Posted 06 July 2006 - 05:03 PM

Strange about combofix - but I guess you are dealing with Vundo as well, which can cause this.

By the way, can you look if next folder C:\sUBs is present?
If so, zip the folder (rightclick the folder and choose 'Send To' > compressed/zipped file
This should create a new folder called sUBs.zip.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, browse to the C:\sUBs.zip you created and click ok

Then click the Send File button below.

Then,

Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Edit, can you redownload combofix again, because it has been updated.

Edited by miekiemoes, 06 July 2006 - 05:25 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 dimatt

dimatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 July 2006 - 05:17 PM

Thanks for the fast reply again, I got a log file this time I ran it and it ended with a cleanup of any unecessary files on my computer after I aborted (it still doesn't find the Look2Me registry files). Don't know if this will be of any help to you though :s

-----

Start Time= 06/07/2006 18:02:34.67
Running from: C:\Documents and Settings\matt\Desktop

------
Probably not. Shall I continue with what you posted?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 PM

Posted 06 July 2006 - 05:19 PM

Yes, please continue with my instructions.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 PM

Posted 06 July 2006 - 05:25 PM

I edited my previous post with an extra instruction
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 dimatt

dimatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 July 2006 - 05:33 PM

There was no folder named 'sUBs' when i searched my C drive as well as no file named it as well. When I opened the VundoFix.exe it said that it would open after a minute but it has been 5-10 minutes.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 PM

Posted 06 July 2006 - 05:34 PM

Hello,

Can you redownload combofix again from the same url and try to run the updated version, that should work now. We'll use combofix as well to deal with vundo afterwards, instead of vundofix.

Edited by miekiemoes, 06 July 2006 - 05:35 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 dimatt

dimatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 July 2006 - 05:40 PM

It worked this time but it still did not find the registry files :s

Here is the combofix log:

Start Time= 06/07/2006 18:34:41.88
Running from: C:\Documents and Settings\matt\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:



Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-06 18:29:50 74752 ( A.... ) "C:\WINNT\system32\VundoFix.exe"
2006-07-06 18:29:06 ( .D... ) "C:\Program Files\VundoFix"
2006-07-06 17:19:56 ( .D... ) "C:\Program Files\BFU"
2006-07-06 17:16:48 236723 ( ..S.R ) "C:\WINNT\system32\rasutils.dll"
2006-07-06 17:13:22 236723 ( ..S.R ) "C:\WINNT\system32\m4jule191h.dll"
2006-07-06 17:12:22 236723 ( ..S.R ) "C:\WINNT\system32\dsrgui.dll"
2006-07-06 17:10:44 236723 ( ..S.R ) "C:\WINNT\system32\j2l4lc3q1f.dll"
2006-07-06 17:03:44 236723 ( ..S.R ) "C:\WINNT\system32\wri.dll"
2006-07-06 14:39:52 236723 ( ..S.R ) "C:\WINNT\system32\ewcapi.dll"
2006-07-06 13:43:18 ( .D... ) "C:\Program Files\Wizet"
2006-07-06 13:03:08 236723 ( ..S.R ) "C:\WINNT\system32\armlib.dll"
2006-07-06 10:39:04 236723 ( ..S.R ) "C:\WINNT\system32\mv40l9hm1.dll"
2006-07-06 10:38:04 236723 ( ..S.R ) "C:\WINNT\system32\tZpi3.dll"
2006-07-06 08:34:26 236723 ( ..S.R ) "C:\WINNT\system32\e0020adoed0c0.dll"
2006-07-06 08:33:26 237218 ( ..S.R ) "C:\WINNT\system32\hrr4059qe.dll"
2006-07-06 08:33:26 236723 ( ..S.R ) "C:\WINNT\system32\SSDOCVW.DLL"
2006-07-05 13:45:34 236480 ( ..S.R ) "C:\WINNT\system32\ultheme.dll"
2006-07-05 08:45:06 236480 ( ..S.R ) "C:\WINNT\system32\pfdgen.dll"
2006-07-04 19:33:16 236480 ( ..S.R ) "C:\WINNT\system32\kpdsg.dll"
2006-07-04 17:39:44 236480 ( ..S.R ) "C:\WINNT\system32\wyw32.dll"
2006-07-04 10:07:00 236480 ( ..S.R ) "C:\WINNT\system32\ir6ul5j91.dll"
2006-07-04 07:25:48 236480 ( ..S.R ) "C:\WINNT\system32\sfecli.dll"
2006-07-04 01:15:20 234601 ( ..S.R ) "C:\WINNT\system32\lv6009jme.dll"
2006-07-04 01:13:20 234601 ( ..S.R ) "C:\WINNT\system32\LITIF12n.DLL"
2006-07-03 21:28:18 236480 ( ..S.R ) "C:\WINNT\system32\fzscomex.dll"
2006-07-03 12:07:38 236480 ( ..S.R ) "C:\WINNT\system32\muxml2r.dll"
2006-07-03 08:31:32 234601 ( ..S.R ) "C:\WINNT\system32\ovecli32.dll"
2006-07-02 11:40:22 235668 ( ..S.R ) "C:\WINNT\system32\hr4605hse.dll"
2006-07-02 11:39:22 235668 ( ..S.R ) "C:\WINNT\system32\csnsole.dll"
2006-06-30 23:42:08 ( .D... ) "C:\Documents and Settings\matt\Application Data\Google"
2006-06-30 02:50:46 ( .D... ) "C:\Documents and Settings\matt\Application Data\AdobeUM"
2006-06-30 02:46:36 877 ( A.... ) "C:\Documents and Settings\matt\Application Data\AdobeDLM.log"
2006-06-30 02:46:36 0 ( A.... ) "C:\Documents and Settings\matt\Application Data\dm.ini"
2006-06-29 13:23:06 235514 ( ..S.R ) "C:\WINNT\system32\fpju0319e.dll"
2006-06-29 12:02:40 235978 ( ..S.R ) "C:\WINNT\system32\gpl4l33q1.dll"
2006-06-28 15:32:38 ( .D... ) "C:\Documents and Settings\matt\Application Data\?ppPatch"
2006-06-27 21:37:18 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-27 13:51:16 ( .D... ) "C:\Program Files\Hijackthis"
2006-06-27 13:31:30 ( .D... ) "C:\Program Files\Google"
2006-06-27 12:22:46 24576 ( A.... ) "C:\WINNT\system32\msxml3a.dll"
2006-06-27 12:21:08 32976 ( A.... ) "C:\WINNT\system32\uninstIcn.exe"
2006-06-27 12:20:36 129649 ( A.... ) "C:\WINNT\elpp100drop.exe"
2006-06-27 12:20:32 359616 ( A.... ) "C:\WINNT\justin_bundle.exe"
2006-06-27 12:16:56 235599 ( ..S.R ) "C:\WINNT\system32\h4n0le5m1h.dll"
2006-06-26 21:01:50 ( .D... ) "C:\Documents and Settings\matt\Application Data\Á?sks"
2006-06-26 21:01:04 0 ( A.... ) "C:\Documents and Settings\matt\Application Data\internaldb41.dat"
2006-06-26 21:00:42 359634 ( A.... ) "C:\WINNT\media_motor_bundle.exe"
2006-06-21 19:44:50 115245 ( A.... ) "C:\WINNT\system32\ts_justin.exe"
2006-06-21 19:44:06 235228 ( A.... ) "C:\WINNT\system32\icon_justin.exe"
2006-06-21 18:38:40 235228 ( A.... ) "C:\WINNT\system32\icon_mediamotor.exe"
2006-06-21 18:38:16 115239 ( A.... ) "C:\WINNT\system32\ts_mediamotor.exe"
2006-06-20 20:55:26 389120 ( A.... ) "C:\WINNT\system32\nodeipproc.dll"
2006-06-18 17:54:58 394872 ( A.... ) "C:\WINNT\system32\vsdatant.sys"
2006-06-18 17:54:58 394872 ( A.... ) "C:\WINNT\system32\vsdatant.sys"
2006-06-18 17:54:26 83960 ( A.... ) "C:\WINNT\system32\zlcomm.dll"
2006-06-18 17:54:26 71672 ( A.... ) "C:\WINNT\system32\zlcommdb.dll"
2006-06-18 17:54:24 100344 ( A.... ) "C:\WINNT\system32\vsxml.dll"
2006-06-18 17:54:24 59384 ( A.... ) "C:\WINNT\system32\vswmi.dll"
2006-06-18 17:54:22 440312 ( A.... ) "C:\WINNT\system32\vsutil.dll"
2006-06-18 17:54:22 71672 ( A.... ) "C:\WINNT\system32\vsregexp.dll"
2006-06-18 17:54:20 268280 ( A.... ) "C:\WINNT\system32\vspubapi.dll"
2006-06-18 17:54:20 157688 ( A.... ) "C:\WINNT\system32\vsinit.dll"
2006-06-18 17:54:20 104440 ( A.... ) "C:\WINNT\system32\vsmonapi.dll"
2006-06-18 17:54:18 83960 ( A.... ) "C:\WINNT\system32\vsdata.dll"
2006-06-18 17:54:08 796584 ( A.... ) "C:\WINNT\system32\libeay32_0.9.6l.dll"
2006-06-11 23:24:34 ( .D... ) "C:\Program Files\NCH Swift Sound"
2006-06-05 18:38:10 ( .D... ) "C:\Program Files\MSN Messenger"
2006-06-04 18:48:02 ( .D... ) "C:\Program Files\Common Files\Network Associates"
2006-05-25 01:22:06 53248 ( A.... ) "C:\WINNT\bdoscandel.exe"
2006-05-20 11:49:56 ( .D... ) "C:\Program Files\directx"
2006-05-18 23:49:46 ( .D... ) "C:\Program Files\Microsoft Works"
2006-05-18 01:13:10 ( .D... ) "C:\Documents and Settings\matt\Application Data\Free Download Manager"
2006-05-16 04:38:40 499712 ( A.... ) "C:\WINNT\system32\msvcp71.dll"
2006-05-16 04:38:40 348160 ( A.... ) "C:\WINNT\system32\msvcr71.dll"
2006-05-16 02:13:56 ( .D... ) "C:\Program Files\XoftSpy"
2006-05-15 22:59:28 ( .D... ) "C:\Program Files\Common Files\qmir"
2006-05-15 16:41:52 ( .D... ) "C:\Program Files\MSN Games"
2006-05-09 00:43:54 96560 ( A.... ) "C:\Documents and Settings\matt\Application Data\GDIPFONTCACHEV1.DAT"
2006-04-11 03:09:24 78848 ( A.... ) "C:\WINNT\system32\nscE.dll"
2004-04-05 05:08:58 21952 ( A..H. ) "C:\Program Files\folder.htt"
2004-04-05 05:08:58 271 ( ..SH. ) "C:\Program Files\desktop.ini"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-06 18:22 74,752 C:\WINNT\system32\VundoFix.exe
2006-07-06 17:16 236,723 C:\WINNT\system32\rasutils.dll
2006-07-06 17:16 236,723 C:\WINNT\system32\m4jule191h.dll
2006-07-06 17:12 236,723 C:\WINNT\system32\j2l4lc3q1f.dll
2006-07-06 17:12 236,723 C:\WINNT\system32\dsrgui.dll
2006-07-06 17:03 236,723 C:\WINNT\system32\wri.dll
2006-07-06 14:39 236,723 C:\WINNT\system32\ewcapi.dll
2006-07-06 13:03 236,723 C:\WINNT\system32\mv40l9hm1.dll
2006-07-06 13:03 236,723 C:\WINNT\system32\armlib.dll
2006-07-06 10:38 236,723 C:\WINNT\system32\tZpi3.dll
2006-07-06 10:38 236,723 C:\WINNT\system32\e0020adoed0c0.dll
2006-07-06 08:33 237,218 C:\WINNT\system32\hrr4059qe.dll
2006-07-06 08:33 236,723 C:\WINNT\system32\SSDOCVW.DLL
2006-07-05 20:07 83,960 C:\WINNT\system32\zlcomm.dll
2006-07-05 20:07 83,960 C:\WINNT\system32\vsdata.dll
2006-07-05 20:07 796,584 C:\WINNT\system32\libeay32_0.9.6l.dll
2006-07-05 20:07 71,672 C:\WINNT\system32\zlcommdb.dll
2006-07-05 20:07 71,672 C:\WINNT\system32\vsregexp.dll
2006-07-05 20:07 59,384 C:\WINNT\system32\vswmi.dll
2006-07-05 20:07 440,312 C:\WINNT\system32\vsutil.dll
2006-07-05 20:07 394,872 C:\WINNT\system32\vsdatant.sys
2006-07-05 20:07 268,280 C:\WINNT\system32\vspubapi.dll
2006-07-05 20:07 157,688 C:\WINNT\system32\vsinit.dll
2006-07-05 20:07 104,440 C:\WINNT\system32\vsmonapi.dll
2006-07-05 20:07 100,344 C:\WINNT\system32\vsxml.dll
2006-07-05 13:45 236,480 C:\WINNT\system32\ultheme.dll
2006-07-05 08:45 236,480 C:\WINNT\system32\pfdgen.dll
2006-07-04 19:33 236,480 C:\WINNT\system32\kpdsg.dll
2006-07-04 17:39 236,480 C:\WINNT\system32\wyw32.dll
2006-07-04 17:39 236,480 C:\WINNT\system32\ir6ul5j91.dll
2006-07-04 07:25 236,480 C:\WINNT\system32\sfecli.dll
2006-07-04 07:25 234,601 C:\WINNT\system32\lv6009jme.dll
2006-07-04 01:13 234,601 C:\WINNT\system32\LITIF12n.DLL
2006-07-03 21:28 236,480 C:\WINNT\system32\fzscomex.dll
2006-07-03 12:07 236,480 C:\WINNT\system32\muxml2r.dll
2006-07-03 08:31 234,601 C:\WINNT\system32\ovecli32.dll
2006-07-02 12:32 235,668 C:\WINNT\system32\hr4605hse.dll
2006-07-02 11:39 235,668 C:\WINNT\system32\csnsole.dll
2006-06-29 13:23 235,514 C:\WINNT\system32\fpju0319e.dll
2006-06-29 12:02 235,978 C:\WINNT\system32\gpl4l33q1.dll
2006-06-27 17:27 <DIR> C:\WINNT\McAfee.com
2006-06-27 15:25 684,032 C:\WINNT\libeay32.dll
2006-06-27 15:25 468,480 C:\WINNT\WRUninstall.dll
2006-06-27 15:25 155,648 C:\WINNT\ssleay32.dll
2006-06-27 12:22 24,576 C:\WINNT\system32\msxml3a.dll
2006-06-27 12:21 32,976 C:\WINNT\system32\uninstIcn.exe
2006-06-27 12:20 359,616 C:\WINNT\justin_bundle.exe
2006-06-27 12:16 235,599 C:\WINNT\system32\h4n0le5m1h.dll
2006-06-26 21:01 129,649 C:\WINNT\elpp100drop.exe
2006-06-26 21:00 359,634 C:\WINNT\media_motor_bundle.exe
2006-06-21 19:44 235,228 C:\WINNT\system32\icon_justin.exe
2006-06-21 19:44 115,245 C:\WINNT\system32\ts_justin.exe
2006-06-21 18:38 235,228 C:\WINNT\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINNT\system32\ts_mediamotor.exe
2006-06-20 20:55 389,120 C:\WINNT\system32\nodeipproc.dll
2006-05-25 01:22 53,248 C:\WINNT\bdoscandel.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"LoadQM"="loadqm.exe"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"Logitech Utility"="Logi_MwX.Exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"zBrowser Launcher"="F:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"G:\\iTunes\\iTunesHelper.exe\""
"EPSON Stylus CX4800 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P26 \"EPSON Stylus CX4800 Series\" /O6 \"USB001\" /M \"Stylus CX4800\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"watwxgcA"="C:\\WINNT\\watwxgcA.exe"
"systemdoctor 2006 free"=""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MessengerPlus2"="\"F:\\Program Files\\Messenger Plus! 2\\MsgPlus.exe\" /WinStart"
"Yahoo! Pager"="F:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"Uniblue Registry Booster"="C:\\Program Files\\Registry Booster\\RegistryBooster.exe /S"
"systemdoctor 2006 free"=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""
"tscuninstall"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""
"tscuninstall"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xvrtjfb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="System32:xvrtjfb"
"hkey"="HKLM"
"command"="rundll32 C:\\WINNT\\System32:xvrtjfb.dll,Init 1"
"inimapping"="0"



Contents of the 'Scheduled Tasks' folder

Completion time: 06/07/2006 18:37:22.73
ComboFix ver 06.07.07 - This logfile is located at C:\ComboFix.txt

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 PM

Posted 06 July 2006 - 05:41 PM

Ok, can you also perform next in a meanwhile while I am analysing the log?

Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 dimatt

dimatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 July 2006 - 05:44 PM

New log:


Logfile of HijackThis v1.99.1
Scan saved at 6:43:38 PM, on 06/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\iTunes\iTunesHelper.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\Analyse.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: UserInit=userinit.exe,cdhcdad.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [watwxgcA] C:\WINNT\watwxgcA.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] F:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Registry Booster\RegistryBooster.exe /S
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Background Monitor.lnk = F:\Program Files\esm2\STMS.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Smashing Pumpkins\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...790/mcfscan.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\matt\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\Software\..\Telephony: DomainName = +s
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 PM

Posted 06 July 2006 - 05:47 PM

Looks like vundo isn't present after all.....
Ok, give me a few minutes to analyse your log and post new instructions
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:47 PM

Posted 06 July 2006 - 05:58 PM

Please perform my next steps in the right order...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

F2 - REG:system.ini: UserInit=userinit.exe,cdhcdad.exe
O4 - HKLM\..\Run: [watwxgcA] C:\WINNT\watwxgcA.exe
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\matt\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


delete next files and folders: (be careful here!! Don't delete similar looking files with only one letter difference!!

C:\WINNT\system32\rasutils.dll
C:\WINNT\system32\m4jule191h.dll
C:\WINNT\system32\dsrgui.dll
C:\WINNT\system32\j2l4lc3q1f.dll
C:\WINNT\system32\wri.dll
C:\WINNT\system32\ewcapi.dll
C:\WINNT\system32\armlib.dll
C:\WINNT\system32\mv40l9hm1.dll
C:\WINNT\system32\tZpi3.dll
C:\WINNT\system32\e0020adoed0c0.dll
C:\WINNT\system32\hrr4059qe.dll
C:\WINNT\system32\SSDOCVW.DLL
C:\WINNT\system32\ultheme.dll
C:\WINNT\system32\pfdgen.dll
C:\WINNT\system32\kpdsg.dll
C:\WINNT\system32\wyw32.dll
C:\WINNT\system32\ir6ul5j91.dll
C:\WINNT\system32\sfecli.dll
C:\WINNT\system32\lv6009jme.dll
C:\WINNT\system32\LITIF12n.DLL
C:\WINNT\system32\fzscomex.dll
C:\WINNT\system32\muxml2r.dll
C:\WINNT\system32\ovecli32.dll
C:\WINNT\system32\hr4605hse.dll
C:\WINNT\system32\csnsole.dll
C:\WINNT\system32\fpju0319e.dll
C:\WINNT\system32\gpl4l33q1.dll
C:\Documents and Settings\matt\Application Data\?ppPatch <== folder, wil most probably look like AppPatch. Don't delete the AppPatch folder present in your Windows-folder!!
C:\WINNT\system32\uninstIcn.exe
C:\WINNT\elpp100drop.exe
C:\WINNT\justin_bundle.exe
C:\WINNT\system32\h4n0le5m1h.dll
C:\Documents and Settings\matt\Application Data\Á?sks <== folder
C:\Documents and Settings\matt\Application Data\internaldb41.dat
C:\WINNT\media_motor_bundle.exe
C:\WINNT\system32\ts_justin.exe
C:\WINNT\system32\icon_justin.exe
C:\WINNT\system32\icon_mediamotor.exe
C:\WINNT\system32\ts_mediamotor.exe
C:\WINNT\system32\nodeipproc.dll

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xvrtjfb]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
In case you still are unsure how to create a reg file, take a look here with screenshots.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with a new hijackthislog and a new log from combofix (rerun combofix after you performed the panda scan)

Edited by miekiemoes, 06 July 2006 - 06:01 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 dimatt

dimatt
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 July 2006 - 06:13 PM

I can't delete any of these dlls. I keep getting

"Cannot delete " ": Access is denied
Make sure the disk is not full or write-protected
and that the file is not currently in use"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users