|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
|
|
LinkBack | Thread Tools |
06-19-2005, 01:37 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 8
OS: XP
|
ezula and loadingwebsite.com
I'm having lots of terrible problems with adware. I've had lots of popups for loadingwebsite.com and various other popups for spyware and adware removal. In addition, various programs continue to install themselves (such as virtual bouncer) and icons for online sites appear on my desktop. I can delete and uninstall them, but they eventually come back!
I've run spybot and ad-aware several times. They do find things (mostly ezula stuff), but removing them doesn't seem to help. I'm also running symantec virus scanner and it is constantly finding stuff for ezula and something called QoolAid (the file it finds is kapmjn.exe, for which I cannot find any info online). Below is my HijackThis log. By the way, I am running all of this in safe mode. I appreciate any assistance! Logfile of HijackThis v1.99.1 Scan saved at 2:35:05 PM, on 6/19/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\kapmjn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe O4 - HKLM\..\Run: [tsvcin] C:\Documents and Settings\Administrator\n20050308.EXE O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe O4 - HKLM\..\Run: [checkrun] c:\windows\system32\eliteami32.exe O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kapmjn.exe reg_run O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [fA0FRjMFj] isi0_32.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100977434301 O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\cymaddin.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-20-2005, 01:01 AM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,422
OS: N/A
|
Hi and Welcome to TSF!
Here's what you can do.... Please subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please click here. On the proceeding page, make sure Instant notification by email is selected, then click Add subscription. In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox. After reviewing your log I found a few items that requires our attention. I just want to warn you up front that you've multiple infections here & we have a big fight ahead. So, please be prepared for this to take a couple of rounds. There's a fair bit of work to do & I require your assistance & patience. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. During the course of disinfection, I may ask you to fix a program that you wish to retain. Please post back to inform me. Enable the viewing of Hidden files Windows XP/2000 Go to My Computer > Tools > Folder Options > View tab & ensure that the following are enabled;
~~~~~~~~~~~~~~~ Download ETRemover_v130.zip & UNZIP the contents into a folder on Desktop.
Download & install CleanUp!. We'll run it later Download KillBox v2.0.0.175 & save to desktop Download rkfiles.zip and unzip the contents to a new folder on your desktop. Download the remv3.zip at http://forums.skads.org/index.php?showtopic=80 (look for the attachment to download). Make a new folder on the root drive C:\ and unzip remv3.zip files into it. ~~~~~~~~~~~~~~~ Reboot to Safe Mode
~~~~~~~~~~~~~~~ Run ETRemover_v130.exe, then click the "Kill Elite Toolbar" button and wait until it finishes its work. * Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware! ~~~~~~~~~~~~~~~ Go into HijackThis > Config > Misc.Tools > Open process manager. Select the following and click "Kill process"” for each one. Some entries may no longer exist. You must kill them one at a time. C:\WINDOWS\system32\kapmjn.exe ~~~~~~~~~~~~~~~ Go to Windows Control Panel > Add/Remove Programs and uninstall the following programs: AFA Internet Enhancement ~~~~~~~~~~~~~~~ Close all other windows & Run HiJackThis and click "Scan", then check(tick) the following, if present: O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe O4 - HKLM\..\Run: [tsvcin] C:\Documents and Settings\Administrator\n20050308.EXE O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe O4 - HKLM\..\Run: [checkrun] c:\windows\system32\eliteami32.exe O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kapmjn.exe reg_run O4 - HKCU\..\Run: [fA0FRjMFj] isi0_32.exe O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\cymaddin.dll Click "Fix checked" for HJT to fix them ~~~~~~~~~~~~~~~ Using KillBox Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\system32\PSof1.exe C:\WINDOWS\system32\exp.exe C:\WINDOWS\system32\wintask.exe C:\WINDOWS\cfgmgr52.dll,DllRun C:\WINDOWS\VCMnet11.exe C:\Documents and Settings\Administrator\n20050308.EXE C:\WINDOWS\system32\vidctrl\vidctrl.exe c:\windows\system32\eliteami32.exe C:\WINDOWS\system32\kapmjn.exe reg_run C:\WINDOWS\system32\cymaddin.dll
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again. ~~~~~~~~~~~~~~~ Search for & delete ... using "Start>Search..." the following file(s), if present:
~~~~~~~~~~~~~~~ Run CleanUp!...Click "Yes" when asked to logoff. Reboot your computer into Safe Mode AGAIN ~~~~~~~~~~~~~~~ Double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt. Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt **Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t. Post the contents of both the log.txt and log1.txt in your next post ~~~~~~~~~~~~~~~ Reboot to Normal Mode. Run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply. In your next post, please include:
__________________
Question - what have you done for the community today? |
|
|
|
|
06-20-2005, 07:50 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 8
OS: XP
|
I have completed every step. It is worth noting that in addition to still receiving pop-ups, I'm getting an error after logging on. The error is from RUNDLL and the message is " An exception occurred while trying to run ""C:\WINDOWS\system32\wCssl.dll",DllGetVersion" "
Here are the logs you asked for. Also note that bad1.txt was blank. Thank you very much! ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:43:16 PM, on 6/20/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Sygate\SSA\smc.exe C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100977434301 O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\en6ul1j91.dll O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. ==================================================================== C:\Documents and Settings\Administrator\Desktop\RKfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\icont.exe: UPX! Finished bye The batch is run from -- C:\remv3 Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is 7BA8-BD8C Directory of C:\WINDOWS\system32 msi.dll Finished |
|
|
|
|
06-20-2005, 09:24 PM
|
#4 (permalink) |
|
Old Timer
Join Date: Sep 2003
Location: Northern Arizona
Posts: 7,958
OS: Vista Home Premium, SP 27
|
Greetings,
Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\system32\en6ul1j91.dll Now, find that dll in your system 32 folder and delete it. Reboot. Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool. Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3) 1. Save it to a folder. 2. Reboot into Safe Mode. 3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything. 4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file *Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files. Once you copy that to a Notepad file...highlight the text and copy it here. |
|
|
|
|
06-21-2005, 06:00 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jun 2005
Posts: 8
OS: XP
|
I looked for C:\WINDOWS\system32\en6ul1j91.dll but it wasn't there. I still had Killbox do its thing. Here's the log from mwav. I cleared the quarantines but for some reason a quarantined virus still showed up from Symantec.
Thank you as always! File C:\WINDOWS\system32\guard.tmp tagged as "not-a-virus:AdWare.Look2Me.ab". Action Taken: No Action Taken. File C:\WINDOWS\system32\guard.tmp tagged as "not-a-virus:AdWare.Look2Me.ab". Action Taken: No Action Taken. Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "eZula Spyware/Adware" found in File System! Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\DS3.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\DS3.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1bdd1c37-7b13-790c-8266-422470b28b88}" refers to invalid object "C:\WINDOWS\inscdm\qsbgfxhind.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1ccc1e32-5212-7e00-8569-402d78b18c82}" refers to invalid object "C:\WINDOWS\inscdm\qsbgfxhind.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{29FF67FF-8050-480f-9F30-CC41635F2F9D}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5EDB03AF-0341-4e96-9E9B-3171522E4BAF}" refers to invalid object "c:\Program Files\Fla\fla.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{6edda8cd-2906-4a90-b122-cc36b8f3de86}" refers to invalid object "C:\WINDOWS\inscdm\qsbgfxhind.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{70B51430-B6CA-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8298d101-f992-43b7-8eca-5052d885b995}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{82993a43-5261-a844-c3dd-e86a70905372}" refers to invalid object "C:\WINDOWS\inscdm\qsbgfxhind.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A9E69612-B80D-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{c155710a-d7f2-41e0-b5df-d8a907ac2b88}" refers to invalid object "C:\WINDOWS\system32\rksnw.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E0D79304-84BE-11CE-9641-444553540000}" refers to invalid object "D:\CD_VOL3\WINZIP\WINZIP~5\WZSHLSTB.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E0D79305-84BE-11CE-9641-444553540000}" refers to invalid object "D:\CD_VOL3\WINZIP\WINZIP~5\WZSHLSTB.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E0D79306-84BE-11CE-9641-444553540000}" refers to invalid object "D:\CD_VOL3\WINZIP\WINZIP~5\WZSHLSTB.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E0D79307-84BE-11CE-9641-444553540000}" refers to invalid object "D:\CD_VOL3\WINZIP\WINZIP~5\WZSHLSTB.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{f612954d-3b0b-4c56-9563-227b7be624b4}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken. Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken. Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken. Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken. Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken. Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken. Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. File C:\WINDOWS\icont.exe tagged as "not-a-virus:AdWare.AdURL.c". Action Taken: No Action Taken. File C:\WINDOWS\system32\bsva-egihsg52.exe tagged as "not-a-virus:AdWare.BookedSpace.e". Action Taken: No Action Taken. File C:\WINDOWS\system32\btnetw3_venturahot_246765.exe tagged as "not-a-virus:AdWare.ToolBar.HotSearchBar.i". Action Taken: No Action Taken. File C:\WINDOWS\system32\nsh3.dll tagged as "not-a-virus:AdWare.ToolBar.HotSearchBar.i". Action Taken: No Action Taken. File C:\WINDOWS\system32\weirdontheweb_ventura.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken. File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\XKYZB8VC\OiUninstaller[1].exe tagged as "not-a-virus:AdWare.MediaTickets.n". Action Taken: No Action Taken. File C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\avalanche.jar-452050e9-1e06afc0.zip tagged as not-a-virus:Garbage.Java.FormURLToy. No Action Taken. File C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\XKYZB8VC\OiUninstaller[1].exe tagged as "not-a-virus:AdWare.MediaTickets.n". Action Taken: No Action Taken. File C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08D80000.VBN infected by "Trojan-Downloader.Win32.Agent.jt" Virus! Action Taken: No Action Taken. File C:\WINDOWS\icont.exe tagged as "not-a-virus:AdWare.AdURL.c". Action Taken: No Action Taken. File C:\WINDOWS\system32\bsva-egihsg52.exe tagged as "not-a-virus:AdWare.BookedSpace.e". Action Taken: No Action Taken. File C:\WINDOWS\system32\btnetw3_venturahot_246765.exe tagged as "not-a-virus:AdWare.ToolBar.HotSearchBar.i". Action Taken: No Action Taken. File C:\WINDOWS\system32\nsh3.dll tagged as "not-a-virus:AdWare.ToolBar.HotSearchBar.i". Action Taken: No Action Taken. File C:\WINDOWS\system32\weirdontheweb_ventura.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken. |
|
|
|
|
06-21-2005, 11:49 PM
|
#6 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
  |
You have the latest version of VX2. Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log and another mwav log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
