Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page ad.yieldmanager pop-ups
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 07-27-2006, 05:43 AM   #1 (permalink)
Registered User
 
Join Date: Jul 2006
Posts: 9
OS: WinXP


ad.yieldmanager pop-ups
Hi,
I'm constantly getting pop-ups form the sources ad.yieldmanager, ad.firstsolution and ad-w-a-r-e. I've run cwshredder, spybot, ad-aware and x-clean micro yet I'm still getting them.

Please help.

Here my hijack this logfile:
Logfile of HijackThis v1.99.1
Scan saved at 12:36:12, on 27/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\m0pola731d.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

End of logfile

Thanks.
ellie_willis is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-28-2006, 04:29 PM   #2 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.
  • At the end of the scan click on see report. Then click Save report
Please post that log in your next reply.

In your next post please include:
  • L2Mefix log
  • Panda Activescan Log
  • A new Hijackthis! Log
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-31-2006, 04:07 AM   #3 (permalink)
Registered User
 
Join Date: Jul 2006
Posts: 9
OS: WinXP


Thanks very much for your reply. I have been having troubles posting all 3 logs and I think it is because the Active scan report is so large. I have posted the HijackThis new log and the l2mfix log anyway. Is there any particular bits of the activescan you need which I can post seperately?

Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:27:27, on 31/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\en0sl1d71.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

End of log.

L2mfix log:
L2mfix 051206
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (660)
Killing 'winlogon.exe'
winlogon.exe (732)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (1812)
Killing 'rundll32.exe'
rundll32.exe "C:\WINDOWS\system32\jPvaee.dll",DllGetVersion (1404)
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\ahrace.dll
Successfully Deleted: C:\WINDOWS\system32\ahrace.dll
Deleting: C:\WINDOWS\system32\d6j02g1mg6.dll
Successfully Deleted: C:\WINDOWS\system32\d6j02g1mg6.dll
Deleting: C:\WINDOWS\system32\en0sl1d71.dll
Successfully Deleted: C:\WINDOWS\system32\en0sl1d71.dll
Deleting: C:\WINDOWS\system32\enpul1791.dll
Successfully Deleted: C:\WINDOWS\system32\enpul1791.dll
Deleting: C:\WINDOWS\system32\h6j4lg1q16.dll
Successfully Deleted: C:\WINDOWS\system32\h6j4lg1q16.dll
Deleting: C:\WINDOWS\system32\jPvaee.dll
Successfully Deleted: C:\WINDOWS\system32\jPvaee.dll
Deleting: C:\WINDOWS\system32\kvdusr.dll
Successfully Deleted: C:\WINDOWS\system32\kvdusr.dll
Deleting: C:\WINDOWS\system32\kwdit.dll
Successfully Deleted: C:\WINDOWS\system32\kwdit.dll
Deleting: C:\WINDOWS\system32\lvjq0915e.dll
Successfully Deleted: C:\WINDOWS\system32\lvjq0915e.dll
Deleting: C:\WINDOWS\system32\n48o0el3ehq.dll
Successfully Deleted: C:\WINDOWS\system32\n48o0el3ehq.dll
Deleting: C:\WINDOWS\system32\p08q0al5edq.dll
Successfully Deleted: C:\WINDOWS\system32\p08q0al5edq.dll
Deleting: C:\WINDOWS\system32\p0n80a5ued.dll
Successfully Deleted: C:\WINDOWS\system32\p0n80a5ued.dll
Deleting: C:\WINDOWS\system32\rnutetab.dll
Successfully Deleted: C:\WINDOWS\system32\rnutetab.dll
Deleting: C:\WINDOWS\system32\WoaLogon.dll
Successfully Deleted: C:\WINDOWS\system32\WoaLogon.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en0sl1d71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ahrace.dll
C:\WINDOWS\system32\d6j02g1mg6.dll
C:\WINDOWS\system32\en0sl1d71.dll
C:\WINDOWS\system32\enpul1791.dll
C:\WINDOWS\system32\h6j4lg1q16.dll
C:\WINDOWS\system32\jPvaee.dll
C:\WINDOWS\system32\kvdusr.dll
C:\WINDOWS\system32\kwdit.dll
C:\WINDOWS\system32\lvjq0915e.dll
C:\WINDOWS\system32\n48o0el3ehq.dll
C:\WINDOWS\system32\p08q0al5edq.dll
C:\WINDOWS\system32\p0n80a5ued.dll
C:\WINDOWS\system32\rnutetab.dll
C:\WINDOWS\system32\WoaLogon.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}\InprocServer32]
@="C:\\WINDOWS\\system32\\kvdusr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}\InprocServer32]
@="C:\\WINDOWS\\system32\\rnutetab.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}\InprocServer32]
@="C:\\WINDOWS\\system32\\WoaLogon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}\InprocServer32]
@="C:\\WINDOWS\\system32\\kwdit.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}\InprocServer32]
@="C:\\WINDOWS\\system32\\jPvaee.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A59DCF98-DE02-4D89-B9E3-3DA4F64FB7B7}"=-
"{18AAA159-962F-42F7-9B98-D54ACE49FBCC}"=-
"{3C9FC332-DC77-42D5-BB57-803F097176AA}"=-
"{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}"=-
"{D34B2FDA-BE3F-4405-9A95-1257E57535A9}"=-
"{4C796A96-89DC-4792-9647-4D0A5F90D518}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A59DCF98-DE02-4D89-B9E3-3DA4F64FB7B7}]
[-HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}]
[-HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}]
[-HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}]
[-HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}]
[-HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/ahrace.dll (164 bytes security) (deflated 4%)
adding: dlls/d6j02g1mg6.dll (164 bytes security) (deflated 5%)
adding: dlls/en0sl1d71.dll (164 bytes security) (deflated 4%)
adding: dlls/enpul1791.dll (164 bytes security) (deflated 4%)
adding: dlls/h6j4lg1q16.dll (164 bytes security) (deflated 5%)
adding: dlls/jPvaee.dll (164 bytes security) (deflated 4%)
adding: dlls/kvdusr.dll (164 bytes security) (deflated 4%)
adding: dlls/kwdit.dll (164 bytes security) (deflated 4%)
adding: dlls/lvjq0915e.dll (164 bytes security) (deflated 5%)
adding: dlls/n48o0el3ehq.dll (164 bytes security) (deflated 4%)
adding: dlls/p08q0al5edq.dll (164 bytes security) (deflated 5%)
adding: dlls/p0n80a5ued.dll (164 bytes security) (deflated 5%)
adding: dlls/rnutetab.dll (164 bytes security) (deflated 4%)
adding: dlls/WoaLogon.dll (164 bytes security) (deflated 4%)
adding: backregs/0AA8923B-C5DD-4EF1-8D7C-E9E411A70014.reg (188 bytes security) (deflated 70%)
adding: backregs/18AAA159-962F-42F7-9B98-D54ACE49FBCC.reg (188 bytes security) (deflated 70%)
adding: backregs/3C9FC332-DC77-42D5-BB57-803F097176AA.reg (188 bytes security) (deflated 70%)
adding: backregs/4C796A96-89DC-4792-9647-4D0A5F90D518.reg (188 bytes security) (deflated 70%)
adding: backregs/D34B2FDA-BE3F-4405-9A95-1257E57535A9.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 63%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

End of log.

Any help would be much appreciated. Thankyou.
ellie_willis is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-31-2006, 06:07 AM   #4 (permalink)
Registered User
 
Join Date: Jul 2006
Posts: 9
OS: WinXP


I ran the activescan again and found it was a lot smaller so here is the report for it.

Incident Status Location

Spyware:spyware/betterinet Not disinfected c:\windows\inf\biini.inf
Spyware:spyware/clipgenie Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.888.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[www.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[www.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[hc2.humanclick.com/hc/32938479]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[c.enhance.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.adviva.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.com.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.overture.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.winfixer.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.pacificpoker.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.xiti.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Elena\Application Data\Mozilla\Firefox\Profiles\ripw1m42.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Elena\Cookies\elena@888[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Elena\Cookies\elena@888[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Elena\Cookies\elena@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Elena\Cookies\elena@adopt.hbmediapro[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Elena\Cookies\elena@azjmp[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Elena\Cookies\elena@banners.searchingbooth[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Elena\Cookies\elena@cassava[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Elena\Cookies\elena@dist.belnk[2].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Elena\Cookies\elena@hc2.humanclick[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Elena\Cookies\elena@i.screensavers[1].txt
Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\Elena\Cookies\elena@ilead.itrack[1].txt
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\Elena\Cookies\elena@mysearch[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Elena\Cookies\elena@stats1.reliablestats[1].txt
Spyware:Cookie/Mp3s Hits Not disinfected C:\Documents and Settings\Elena\Cookies\elena@www.mp3shits[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Elena\Cookies\elena@xmts[1].txt
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/ahrace.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/d6j02g1mg6.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/en0sl1d71.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/enpul1791.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/h6j4lg1q16.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/jPvaee.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/kvdusr.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/kwdit.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/lvjq0915e.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/n48o0el3ehq.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/p08q0al5edq.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/p0n80a5ued.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/rnutetab.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\backup.zip[dlls/WoaLogon.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\ahrace.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\d6j02g1mg6.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\en0sl1d71.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\enpul1791.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\h6j4lg1q16.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\jPvaee.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\kvdusr.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\kwdit.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\lvjq0915e.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\n48o0el3ehq.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\p08q0al5edq.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\p0n80a5ued.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\rnutetab.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Desktop\l2mfix\dlls\WoaLogon.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Elena\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\4C88E3A6-7630-4411-B157-570A30\067F5826-31A3-4DA7-90B0-602324
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@888[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@888[3].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@adopt.hbmediapro[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@azjmp[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@banners.searchingbooth[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@c.enhance[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@cassava[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@com[1].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@hc2.humanclick[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@i.screensavers[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@rn11[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@statcounter[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Elena\Local Settings\Temp\Cookies\elena@stats1.reliablestats[1].txt
End of report.

Thankyou.
ellie_willis is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-31-2006, 12:58 PM   #5 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Delete this file:
c:\windows\inf\biini.inf

Open Internet Explorer and click Tools->Internet Options. On the General tab click the Delete Cookies button. Click OK twice and close IE.

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\en0sl1d71.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Post a new Hijackthis log and let me know how the PC is running please.
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2006, 03:04 AM   #6 (permalink)
Registered User
 
Join Date: Jul 2006
Posts: 9
OS: WinXP


Hello,
Here is my new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:00:28, on 01/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\program files\zango\zango.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ntl\ntl Netguard\Rps.exe
C:\WINDOWS\system32\rundll32.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D67D557C462F3FC7 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Most of the pop-ups have gone, but I'm still getting a few, especially from www.errorsafe.com and http://media.fastclick.net. Other than that my pc is running smoothly.

Thankyou for your help.
ellie_willis is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-01-2006, 11:32 AM   #7 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads(make sure to save these in a permanent location)
combofix.exe-Save it to your Desktop, we will need this later.

Add/Remove Programs
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Zango

Reboot your system

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3 D67D557C462F3FC7 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"

Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
c:\program files\zango


Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-02-2006, 03:39 AM   #8 (permalink)
Registered User
 
Join Date: Jul 2006
Posts: 9
OS: WinXP


I actually deleted Zango yesterday as it was only a recent download with Bearshare and knew it looked a bit dodgy. However, i followed your steps and here is the log for combofix:

Start Time= 02/08/2006 10:32:17.36
Running from: C:\Documents and Settings\Elena\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-31 15:49:04 ( .D... ) "C:\Program Files\LimeWire"
2006-07-27 11:49:48 ( .D... ) "C:\Program Files\NoAdware4"
2006-07-25 16:32:06 ( .D... ) "C:\Program Files\WebWasher"
2006-07-25 13:47:34 ( .D... ) "C:\Program Files\AVI Codec Pack"
2006-07-24 15:34:48 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-24 13:16:56 ( .D... ) "C:\Program Files\Sunbelt Software"
2006-07-20 16:12:30 ( .D... ) "C:\Documents and Settings\Elena\Application Data\SafeFiles"
2006-07-18 10:25:56 ( .D... ) "C:\Documents and Settings\Elena\Application Data\ntl"
2006-07-18 10:22:20 ( .D... ) "C:\Program Files\Common Files\Command Software"
2006-07-18 10:22:16 ( .D... ) "C:\Program Files\Common Files\PestPatrol"
2006-07-17 13:05:52 ( .D... ) "C:\Program Files\Common Files\kimo"
2006-07-17 13:02:44 ( .D... ) "C:\Program Files\Common Files\{B8BF9F95-0514-1033-0830-02051302002c}"
2006-07-17 13:01:26 ( .DSH. ) "C:\Program Files\outlook"
2006-05-19 13:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 13:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 13:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2004-12-22 13:58:58 921696 ( A.... ) "C:\Program Files\WinQualifier.exe"
2004-12-13 21:23:04 457 ( A.... ) "C:\Program Files\INSTALL.LOG"
2004-10-12 21:48:44 14545 ( A.... ) "C:\Program Files\Msncolor.zip"
2003-10-24 23:26:46 55 ( A.... ) "C:\Program Files\FixWelch.log"
2003-10-24 23:21:26 55 ( A.... ) "C:\Program Files\FixBlast.log"
2003-10-24 23:02:22 176832 ( A.... ) "C:\Program Files\fixwelch.exe"
2003-10-24 23:02:04 135360 ( A.... ) "C:\Program Files\fixblast.exe"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-30 22:06 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-27 12:20 536,399,872 C:\hiberfil.sys
2006-07-24 12:30 73,728 C:\WINDOWS\system32\asuninst.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{B8BF9F95-0514-1033-0830-02051302002c}"="\"C:\\Program Files\\Common Files\\{B8BF9F95-0514-1033-0830-02051302002c}\\Update.exe\" mc-110-12-0000140"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows Media Player\\kyzepep.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN Gaming Zone\\howymymyh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 02/08/2006 10:32:32.01
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt


I am still getting some pop-ups but normally after i delete cookies I don't have any for a couple of hours. On internet options I have privacy on medium-high so I'm not sure how certain cookies are accepted and then affecting my pc. I am now getting pop-ups from WinAntivirus as well as errorsafe.com and drivecleaner.com, if thats any help.

Thanks for all your help.
ellie_willis is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-03-2006, 11:45 AM   #9 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Please download the file update.zip. Unzip it to your desktop and double click on update.reg. Click Yes to merge the info into your registry.

Reboot your PC.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Program Files\Common Files\{B8BF9F95-0514-1033-0830-02051302002c}
C:\Program Files\outlook


Run a new scan witrh Hijackthis and post the log here. Also let me know if you are still seeing popups.
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-04-2006, 05:26 AM   #10 (permalink)
Registered User
 
Join Date: Jul 2006
Posts: 9
OS: WinXP


Here is my new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:53, on 04/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I am still getting the same pop-ups as I mentioned in my last post.

Thanks
ellie_willis is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-04-2006, 01:09 PM   #11 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Download GMER to your desktop.
  • Right Click the Zip and Select Extract All.
  • Open GMER and Click the Tab labeled RootKit.
  • Now Click Scan, it will take a while for the scan to complete.
  • Once done, Copy the results to Notepad and post them in the next reply.

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-04-2006, 07:15 PM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,353
OS: N/A


Kaspersky online scanner will be down until next week.
Please use this instead -

* Click here to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.
  • Then click the F-Secure Online Scanner Next Generation Beta link.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-06-2006, 02:40 PM   #13 (permalink)
Registered User
 
Join Date: Jul 2006
Posts: 9
OS: WinXP


Hello. Thanks again for your quick reply.

Log from GMER:
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-06 20:13:34
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

Code \SystemRoot\system32\DRIVERS\css-dvp.sys ZwClose
Code \SystemRoot\system32\DRIVERS\css-dvp.sys ZwCreateSection
Code \SystemRoot\system32\DRIVERS\css-dvp.sys ZwSetInformationFile
Code \SystemRoot\system32\DRIVERS\css-dvp.sys ZwWriteFile

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{672B6422-9049-4679-AD0C-8379A27EB35A}

---- EOF - GMER 1.0.10 ----

fsbl-20060806191445 log:
08/06/06 20:14:45 [Info]: BlackLight Engine 1.0.42 initialized
08/06/06 20:14:45 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/06/06 20:14:46 [Note]: 7019 4
08/06/06 20:14:46 [Note]: 7005 0
08/06/06 20:15:19 [Note]: 7006 0
08/06/06 20:15:19 [Note]: 7011 1532
08/06/06 20:15:19 [Note]: 7026 0
08/06/06 20:15:19 [Note]: 7026 0
08/06/06 20:15:33 [Note]: FSRAW library version 1.7.1019
08/06/06 20:20:51 [Note]: 7007 0
End of log.

Report from F-Secure:
Scanning Report
Sunday, August 06, 2006 20:42:55 - 21:36:44

Computer name: BESTMAKE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 5 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System

W32/Malware (virus)

* C:\PROGRAM FILES\NTL\BROADBAND MEDIC\BIN\DISAD.EXE

Statistics
Scanned:

* Files: 28478
* System: 4432
* Not scanned: 3

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 4
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-08-04
* F-Secure Libra: 2.4.1, 2006-08-02
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Orion: 1.2.37, 2006-08-04
* F-Secure Pegasus: 1.19.0, 2006-06-05
* F-Secure Draco: 1.0.35, 0259-24-212

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics
End of report.

Thankyou.
ellie_willis is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-07-2006, 08:27 PM   #14 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
  • "Security Info"
  • "Warning Message"
  • "Security Desktop"
  • "Warning Homepage"
  • "Desktop Uninstall"
Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-08-2006, 02:00 AM   #15 (permalink)
Registered User
 
Join Date: Jul 2006
Posts: 9
OS: WinXP


I haven't had a single pop-up for a couple of hours now. Thankyou so much for all your help.
Ellie
ellie_willis is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-08-2006, 01:57 PM   #16 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Setting a new Restore Point
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.
  • Tick the checkbox - Turn off System Restore on all drives
  • Click Apply
  • Turn it back 'On' by unticking the same checkbox & click OK

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-09-2006, 03:56 AM   #17 (permalink)
Registered User
 
Join Date: Jul 2006
Posts: 9
OS: WinXP


I already have many of those programs listed installed on my pc, but have downloaded a selective few to avoid future infections so thankyou for the suggestions.

I still haven't had one pop-up which is fantastic and means I can use my computer without getting really frustrated.

Thankyou so much for all of your help!!!
ellie_willis is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:38 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85