9ringtone.com popups

smunson · 05-19-2005, 08:09 PM

Hello team,

My computer is having problems with the following popup ads:

9ringtone.com/mx/index.php
paypopup.com/adsDirect.php
spotresults.com (I don't have the full address on this one)

This computer is in the office of a church, and there are three of us that share it, so I'm not sure how it got infected, since we normally only visit our church-related websites, but apparently someone went where they shouldn't have

First I tried various anti-adware programs such as ad-aware, spybot, and etrust pest patrol, along with AVG anti-virus. They all found and removed various files, but did not get rid of the problem. Also Mcafee anti-virus found adware.look2me, but could not remove it. I followed removal procedures that I found at pchell.com, and now the virus scans don't find it, but the problem continues. Then I found your site, I followed all the instructions for tweaking ad-aware and ran it again, and did the online virus scan, but they didn't find anything new.

Anyway, here is the "new" log using the HijackThis analyzer:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 01:52:23 p.m., on 19/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Common Files\pestpatrol\PPMCActiveDetection.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://Intranet/CGIRSearch/query.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Intranet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LDS Church
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:\program files\internet explorer\custom\desktop.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ldsglobal.net;*.lds.org;*.ldschurch.org;*.providentliving.org;*.mormon.org;*.ldsces.org;*.dmba.com;10.*;192.168.*;<local>
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O14 - IERESET.INF: START_PAGE_URL=http://Intranet
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET
O15 - Trusted Zone: http://library.lds.org
O15 - Trusted Zone: http://customer-connection.peoplesoft.com
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://library.lds.org (HKLM)
O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116521297869
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/belrio...2.cab?fgiocv=1
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lvp4097qe.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Any suggestions or help that you can provide will be greatly appreciated. Thanks in advance

MicroBell · 05-20-2005, 12:42 AM

Hi and Welcome to TSF

Well...you still have the VX2 Look2me thats still present.

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

I also need to know if you added these sites to your "Trusted Zone"??

O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET
O15 - Trusted Zone: http://library.lds.org
O15 - Trusted Zone: http://customer-connection.peoplesoft.com
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://library.lds.org (HKLM)
O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM)

smunson · 05-20-2005, 08:44 AM

First of all, I want to thank you for your quick reply, very impressive!

Ok, I installed the vx2 add on cleaner for ad-aware and ran the scan again, but it still only found a few cookies. Then I ran spybot with the updates again and it found and removed look2me.topconverting, nictechnetworks.zestyfind, and web trends live. Next I ran cwshredder and it found and removed vx2.look2me. I also ran the trend micro online virus scan again (with auto-clean), and it said that there were no viruses. I then ran l2mfix.bat, here is the log:

L2Mfix 1.03

Running From:
C:\Documents and Settings\MEXICOTAMPICOMISSION\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\MEXICOTAMPICOMISSION\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\MEXICOTAMPICOMISSION\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 976 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\fpp0037me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir8ol5l31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k444lehq1h4e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgutilse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wpnbrand.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xjlehlp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\fpp0037me.dll
Successfully Deleted: C:\WINDOWS\system32\fpp0037me.dll
deleting: C:\WINDOWS\system32\ir8ol5l31.dll
Successfully Deleted: C:\WINDOWS\system32\ir8ol5l31.dll
deleting: C:\WINDOWS\system32\k444lehq1h4e.dll
Successfully Deleted: C:\WINDOWS\system32\k444lehq1h4e.dll
deleting: C:\WINDOWS\system32\mgutilse.dll
Successfully Deleted: C:\WINDOWS\system32\mgutilse.dll
deleting: C:\WINDOWS\system32\wpnbrand.dll
Successfully Deleted: C:\WINDOWS\system32\wpnbrand.dll
deleting: C:\WINDOWS\system32\xjlehlp.dll
Successfully Deleted: C:\WINDOWS\system32\xjlehlp.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: fpp0037me.dll (164 bytes security) (deflated 4%)
adding: ir8ol5l31.dll (164 bytes security) (deflated 5%)
adding: k444lehq1h4e.dll (164 bytes security) (deflated 4%)
adding: mgutilse.dll (164 bytes security) (deflated 5%)
adding: wpnbrand.dll (164 bytes security) (deflated 5%)
adding: xjlehlp.dll (164 bytes security) (deflated 4%)
adding: guard.tmp (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 78%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (deflated 72%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 58%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: fpp0037me.dll
deleting local copy: ir8ol5l31.dll
deleting local copy: k444lehq1h4e.dll
deleting local copy: mgutilse.dll
deleting local copy: wpnbrand.dll
deleting local copy: xjlehlp.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\fpp0037me.dll
C:\WINDOWS\system32\ir8ol5l31.dll
C:\WINDOWS\system32\k444lehq1h4e.dll
C:\WINDOWS\system32\mgutilse.dll
C:\WINDOWS\system32\wpnbrand.dll
C:\WINDOWS\system32\xjlehlp.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

And finally, here is the new log from hijackthis:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 09:21:51 a.m., on 20/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Common Files\pestpatrol\PPMCActiveDetection.exe
C:\Program Files\AClient\Bin\XCDiffCache.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://Intranet/CGIRSearch/query.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Intranet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LDS Church
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:\program files\internet explorer\custom\desktop.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ldsglobal.net;*.lds.org;*.ldschurch.org;*.providentliving.org;*.mormon.org;*.ldsces.org;*.dmba.com;10.*;192.168.*;<local>
O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe
O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O14 - IERESET.INF: START_PAGE_URL=http://Intranet
O15 - Trusted Zone: http://library.lds.org
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://library.lds.org (HKLM)
O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116521297869
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/belrio...2.cab?fgiocv=1
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

End of KRC HijackThis Analyzer Log.
====================================================================

As far as the Trusted Zone websites, the following are ones that I recognize and use:
O15 - Trusted Zone: http://library.lds.org
O15 - Trusted Zone: http://library.lds.org (HKLM)

The following are ones that we probably added (deseretbook.net is a website from the church, but I haven't used it):
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET
O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM)
O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM)

The following I don't recognize, I'm not sure what they are:
O15 - Trusted Zone: http://customer-connection.peoplesoft.com
O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM)

I just got done doing all this, so I'm still not sure if the popups are completely gone, though up to now nothing has come up! Thanks again for your quick reply and all the help!

greyknight17 · 05-20-2005, 08:53 AM

That's perfect

Surf around a little and see if anything comes up.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

smunson · 06-01-2005, 01:04 PM

Hello again,

I just wanted to tell you all thanks. The computer is back to normal, and I was very impressed with the quick advice and help. Thanks a million!!

05-19-2005, 08:09 PM	#1 (permalink)
smunson Registered User Join Date: May 2005 Posts: 3 OS: Windows XP	9ringtone.com popups Hello team, My computer is having problems with the following popup ads: 9ringtone.com/mx/index.php paypopup.com/adsDirect.php spotresults.com (I don't have the full address on this one) This computer is in the office of a church, and there are three of us that share it, so I'm not sure how it got infected, since we normally only visit our church-related websites, but apparently someone went where they shouldn't have First I tried various anti-adware programs such as ad-aware, spybot, and etrust pest patrol, along with AVG anti-virus. They all found and removed various files, but did not get rid of the problem. Also Mcafee anti-virus found adware.look2me, but could not remove it. I followed removal procedures that I found at pchell.com, and now the virus scans don't find it, but the problem continues. Then I found your site, I followed all the instructions for tweaking ad-aware and ran it again, and did the online virus scan, but they didn't find anything new. Anyway, here is the "new" log using the HijackThis analyzer: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 01:52:23 p.m., on 19/05/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe C:\Program Files\Novell\ZENworks\nalntsrv.exe C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe C:\Program Files\Novell\ZENworks\wm.exe C:\Program Files\Common Files\pestpatrol\PPMCActiveDetection.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://Intranet/CGIRSearch/query.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Intranet R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LDS Church R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:\program files\internet explorer\custom\desktop.ins R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .ldsglobal.net;.lds.org;.ldschurch.org;.providentliving.org;.mormon.org;.ldsces.org;.dmba.com;10.;192.168.*;<local> O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll O14 - IERESET.INF: START_PAGE_URL=http://Intranet O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET O15 - Trusted Zone: http://library.lds.org O15 - Trusted Zone: http://customer-connection.peoplesoft.com O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM) O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM) O15 - Trusted Zone: http://library.lds.org (HKLM) O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116521297869 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/belrio...2.cab?fgiocv=1 O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\lvp4097qe.dll O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe End of KRC HijackThis Analyzer Log. ==================================================================== Any suggestions or help that you can provide will be greatly appreciated. Thanks in advance

05-20-2005, 12:42 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Well...you still have the VX2 Look2me thats still present. Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! I also need to know if you added these sites to your "Trusted Zone"?? O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET O15 - Trusted Zone: http://library.lds.org O15 - Trusted Zone: http://customer-connection.peoplesoft.com O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM) O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM) O15 - Trusted Zone: http://library.lds.org (HKLM) O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM) __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-20-2005, 08:53 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	That's perfect Surf around a little and see if anything comes up. Your log is clean. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore. Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

05-20-2005, 08:44 AM	#3 (permalink)
smunson Registered User Join Date: May 2005 Posts: 3 OS: Windows XP	First of all, I want to thank you for your quick reply, very impressive! Ok, I installed the vx2 add on cleaner for ad-aware and ran the scan again, but it still only found a few cookies. Then I ran spybot with the updates again and it found and removed look2me.topconverting, nictechnetworks.zestyfind, and web trends live. Next I ran cwshredder and it found and removed vx2.look2me. I also ran the trend micro online virus scan again (with auto-clean), and it said that there were no viruses. I then ran l2mfix.bat, here is the log: L2Mfix 1.03 Running From: C:\Documents and Settings\MEXICOTAMPICOMISSION\Desktop\l2mfix RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C(CI) access for predefined group "Administrators" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- BUILTIN\Administrators (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting up for Reboot Starting Reboot! C:\Documents and Settings\MEXICOTAMPICOMISSION\Desktop\l2mfix System Rebooted! Running From: C:\Documents and Settings\MEXICOTAMPICOMISSION\Desktop\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 976 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINDOWS\system32\fpp0037me.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\ir8ol5l31.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\k444lehq1h4e.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\mgutilse.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\wpnbrand.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\xjlehlp.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\guard.tmp 1 file(s) copied. deleting: C:\WINDOWS\system32\fpp0037me.dll Successfully Deleted: C:\WINDOWS\system32\fpp0037me.dll deleting: C:\WINDOWS\system32\ir8ol5l31.dll Successfully Deleted: C:\WINDOWS\system32\ir8ol5l31.dll deleting: C:\WINDOWS\system32\k444lehq1h4e.dll Successfully Deleted: C:\WINDOWS\system32\k444lehq1h4e.dll deleting: C:\WINDOWS\system32\mgutilse.dll Successfully Deleted: C:\WINDOWS\system32\mgutilse.dll deleting: C:\WINDOWS\system32\wpnbrand.dll Successfully Deleted: C:\WINDOWS\system32\wpnbrand.dll deleting: C:\WINDOWS\system32\xjlehlp.dll Successfully Deleted: C:\WINDOWS\system32\xjlehlp.dll deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp Zipping up files for submission: adding: fpp0037me.dll (164 bytes security) (deflated 4%) adding: ir8ol5l31.dll (164 bytes security) (deflated 5%) adding: k444lehq1h4e.dll (164 bytes security) (deflated 4%) adding: mgutilse.dll (164 bytes security) (deflated 5%) adding: wpnbrand.dll (164 bytes security) (deflated 5%) adding: xjlehlp.dll (164 bytes security) (deflated 4%) adding: guard.tmp (164 bytes security) (deflated 4%) adding: clear.reg (164 bytes security) (deflated 2%) adding: echo.reg (164 bytes security) (deflated 10%) adding: direct.txt (164 bytes security) (stored 0%) adding: lo2.txt (164 bytes security) (deflated 78%) adding: readme.txt (164 bytes security) (deflated 49%) adding: test.txt (164 bytes security) (deflated 72%) adding: test2.txt (164 bytes security) (stored 0%) adding: test3.txt (164 bytes security) (stored 0%) adding: test5.txt (164 bytes security) (stored 0%) adding: xfind.txt (164 bytes security) (deflated 58%) adding: backregs/shell.reg (164 bytes security) (deflated 74%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for predefined group "Administrators" Inherited ACE can not be revoked here! Inherited ACE can not be revoked here! Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful deleting local copy: fpp0037me.dll deleting local copy: ir8ol5l31.dll deleting local copy: k444lehq1h4e.dll deleting local copy: mgutilse.dll deleting local copy: wpnbrand.dll deleting local copy: xjlehlp.dll deleting local copy: guard.tmp The following Is the Current Export of the Winlogon notify key: ************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] "Asynchronous"=dword:00000000 "DllName"="" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" The following are the files found: ************************************************************************ C:\WINDOWS\system32\fpp0037me.dll C:\WINDOWS\system32\ir8ol5l31.dll C:\WINDOWS\system32\k444lehq1h4e.dll C:\WINDOWS\system32\mgutilse.dll C:\WINDOWS\system32\wpnbrand.dll C:\WINDOWS\system32\xjlehlp.dll C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ************************************************************************ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ************************************************************************ Desktop.ini Contents: ************************************************************************ ************************************************************************ And finally, here is the new log from hijackthis: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs Security Programs Detected** C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 09:21:51 a.m., on 20/05/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe C:\Program Files\Novell\ZENworks\nalntsrv.exe C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe C:\Program Files\Novell\ZENworks\wm.exe C:\Program Files\Common Files\pestpatrol\PPMCActiveDetection.exe C:\Program Files\AClient\Bin\XCDiffCache.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://Intranet/CGIRSearch/query.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Intranet R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LDS Church R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:\program files\internet explorer\custom\desktop.ins R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .ldsglobal.net;.lds.org;.ldschurch.org;.providentliving.org;.mormon.org;.ldsces.org;.dmba.com;10.;192.168.*;<local> O4 - HKLM\..\Run: [Afaria Client File Differencing] C:\Program Files\AClient\Bin\XCDiffCache.exe O4 - Global Startup: Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll O14 - IERESET.INF: START_PAGE_URL=http://Intranet O15 - Trusted Zone: http://library.lds.org O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM) O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM) O15 - Trusted Zone: http://library.lds.org (HKLM) O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116521297869 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/belrio...2.cab?fgiocv=1 O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe End of KRC HijackThis Analyzer Log. ==================================================================== As far as the Trusted Zone websites, the following are ones that I recognize and use: O15 - Trusted Zone: http://library.lds.org O15 - Trusted Zone: http://library.lds.org (HKLM) The following are ones that we probably added (deseretbook.net is a website from the church, but I haven't used it): O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET O15 - Trusted Zone: http://M5F8EDAZ5E3BZ3Z2.GL.DESERETBOOK.NET (HKLM) O15 - Trusted Zone: http://w12345678.gl.DESERETBOOK.NET (HKLM) The following I don't recognize, I'm not sure what they are: O15 - Trusted Zone: http://customer-connection.peoplesoft.com O15 - Trusted Zone: http://customer-connection.peoplesoft.com (HKLM) I just got done doing all this, so I'm still not sure if the popups are completely gone, though up to now nothing has come up! Thanks again for your quick reply and all the help!

06-01-2005, 01:04 PM	#5 (permalink)
smunson Registered User Join Date: May 2005 Posts: 3 OS: Windows XP	Hello again, I just wanted to tell you all thanks. The computer is back to normal, and I was very impressed with the quick advice and help. Thanks a million!!