Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page I Think my Computer is Possessed...
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 08-09-2005, 05:08 PM   #1 (permalink)
Registered User
 
Join Date: Mar 2005
Posts: 48
OS: XP


I Think my Computer is Possessed...
I'm once again (through no fault of my own) experiencing some spyware problems, mainly from this Winfixer 2005 crap. I downloaded a really good pop-up blocker/antispyware program, which seems to be keeping them at bay.

Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:05:25 PM, on 8/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesea...=11719768&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesea...=11719768&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads2.revenue.net/r?site_id=14...tive_id=209716
R3 - Default URLSearchHook is missing
O2 - BHO: PopupSentry Class - {00000000-6C30-11D8-9363-000AE6309657} - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSBHO.DLL
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{639977F1-9012-4BF8-B097-AE27A9EF88FC}: NameServer = 68.94.156.1 68.94.156.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ivpeers.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pop-Up Sentry! Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Also, every once in a while, I get this Command Prompt window opened, and all these little numbers and symbols scroll down. My hard drive makes this loud beeping noise. At the top of the window, it says its from WINDOWS\TEMP\b.com. I feel like something's VERY wrong, or my computer's about to explode or something.

Please help at all costs. Thanks in advance.

~ RS
Remote Saxon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-09-2005, 11:41 PM   #2 (permalink)
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.


Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and save it as I will ask for it later.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Once your done running the L2mfix fix tool proceed below.


Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...d=11719768&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidese...d=11719768&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads2.revenue.net/r?site_id=1...ative_id=209716
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ivpeers.dll


C:\WINDOWS\ttupt.exe <--delete that file

C:\WINDOWS\system32\ivpeers.dll <--delete that file

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows post the following logs.

Hijackthis
Ewido Scan log
L2mfix log


IMPORTANT!:

Quote:
From the information contained in your log header I can see you don’t have the latest service pack and security updates installed for your operating system.

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system.

So please apply those updates BEFORE posting your next log. It’s this forums policy to stop the cleaning process until these basic updates are done. If in the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update XP to SP1 we must stop the cleaning process here.

Thank you for your consideration
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!





Spyware/Adware Removal Tools
Hijackthis
Ad-aware SE
Spybot Search&Destroy
SpywareBlaster
CWShredder
MicroBell is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2005, 08:14 AM   #3 (permalink)
Registered User
 
Join Date: Mar 2005
Posts: 48
OS: XP


I've ran all the scanning programs (including NortanAntivirus, just for good measure). I've deleated every file you asked to be deleated (though I was having some trouble deleating ivpeepers.dll, but it's gone now).

Here's the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:03 AM, on 8/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Soulseek\slsk.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: PopupSentry Class - {00000000-6C30-11D8-9363-000AE6309657} - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSBHO.DLL
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{639977F1-9012-4BF8-B097-AE27A9EF88FC}: NameServer = 68.94.156.1 68.94.156.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pop-Up Sentry! Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Now, here's the Ewido scan log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:43:43 AM, 8/10/2005
+ Report-Checksum: 83C023B9

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKU\S-1-5-21-861567501-287218729-682003330-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-861567501-287218729-682003330-1003\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-861567501-287218729-682003330-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-861567501-287218729-682003330-1003\Software\VB and VBA Program Settings\VBouncer -> Spyware.VirtualBouncer : Cleaned with backup
HKU\S-1-5-21-861567501-287218729-682003330-1003\Software\VB and VBA Program Settings\VBouncer\Settings -> Spyware.VirtualBouncer : Cleaned with backup
[200] C:\WINDOWS\system32\ivpeers.dll -> Spyware.Look2Me : Error during cleaning
[604] C:\WINDOWS\system32\Ardiodev.dll -> Spyware.Look2Me : Error during cleaning
[732] C:\WINDOWS\system32\Ardiodev.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@a.tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@excite[1].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@sel.as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\f7096500.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\f7160453.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\tp7543.exe -> TrojanDownloader.Qoologic.x : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1B8AB8CC-9EC9-4C0D-90E6-D7FF6F\224981FD-17B5-4C0A-81B2-F89157 -> TrojanDownloader.Apropo.ah : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1EE98714-AA0D-4B5A-99A1-9ECF4C\394EA2BC-3094-423B-BA23-CE0F7D -> TrojanDownloader.Apropo.ah : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\258E8B18-8249-4DE6-8B9A-CFC84C\451AE335-C7AA-43A0-8E9C-1DC258 -> TrojanDownloader.Apropo.ah : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\60520D7C-D910-4DE5-90C5-A58E3A\F164F9E6-7B7D-4AB8-989A-CB3FF5 -> TrojanDownloader.Apropo.ah : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\67E9D368-8E95-4FC3-B45B-F76468\9F3B76D6-FBE4-4716-B0C6-AD1818 -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\67E9D368-8E95-4FC3-B45B-F76468\EA29A04F-E8F8-4597-9B7C-C04610 -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\940A052A-4933-4608-89B7-E8C865\2D0A1EBA-7499-4B68-BB25-741E39 -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\940A052A-4933-4608-89B7-E8C865\3F5E34A1-0EC4-4294-A209-FCD692 -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\940A052A-4933-4608-89B7-E8C865\4F1BE9B1-EC37-4060-90F7-5DA44C -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\940A052A-4933-4608-89B7-E8C865\587EAC0E-B23D-402A-B91D-F94BA7 -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\940A052A-4933-4608-89B7-E8C865\B418F01C-81CC-42E7-8057-B10856 -> TrojanDownloader.Qoologic.x : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\95C7D919-2A9F-4A2A-8EFD-9DE634\553C73C8-D66D-4EAD-9079-78C6FA -> TrojanDownloader.Apropo.ah : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A74568C4-9A2B-4D41-8B04-E75C37\2DA98826-2ECB-484C-ACD0-9C8090 -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B6118D1C-14BC-4257-A2C3-91DDEC\3B5D3426-D760-4E6E-95D4-31C4EA -> TrojanDownloader.Apropo.ah : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B9A224F5-FD40-4A4B-A77F-FCA33A\C67AC357-AD8A-4625-BE66-9994AB -> TrojanDownloader.Apropo.ae : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\BDBD9DD3-3F64-4F70-8440-A4060B\24588CA6-B6DD-4D08-AB81-5BA550 -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EB0D6EEE-3BB9-473A-BBF5-9ED070\4CE55B96-7AAB-4B4F-A983-04925A -> TrojanDownloader.Apropo.ah : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{1208FA70-A115-46B7-B334-C01845488230} -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{16B7F9BC-2BAA-4DB1-8CD1-6F265719548D} -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{17D8BFC8-BE44-43BC-AE2F-F4787C254E34} -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{18DA677A-0B6D-4DE6-9E7E-B662DCA9B1BF} -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{1CB4DAA6-0A4A-4EF2-833D-C8B30EFC9636} -> Spyware.PurityScan : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{25999641-E626-41AB-AFC1-1339121360D2} -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{2E61AB79-ED55-42BD-9149-56606EB37FB7} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{49F6CB0D-D909-4C1B-A620-E5A8B3B6CC30} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{4BED9936-E966-4018-83D6-6B0EB79EBEA3} -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{4D9FBB06-4F69-4566-8366-B407E6567292} -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{525435E4-7B3A-4263-AC1E-8D9AC5705AA7} -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{527A0981-D8BD-4E4B-8811-C609258E6892} -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{5536666C-7A7B-4BFE-A1F3-5C1C4BBC8E00} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{564419EF-49F7-4BBB-A282-18FF04700A8E} -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{5C7937B1-158B-4C37-8085-856204001529} -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{5FA96BED-A7C1-4E9C-A64C-C6B765B5025C} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{6A9B7716-0389-48D6-9EE1-60F3FD1839DE} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{78695DEB-B289-4589-9E5B-72B99F4246AB} -> Spyware.Apropos : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{7F1DC8A7-157D-4F32-87E2-015A85E06A98} -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{93DAB806-6189-410F-9B93-A77F959CF34B} -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{A3ADAF89-765A-4129-8F42-4631FFD0F654} -> TrojanDownloader.Small.abd : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{B5828C92-E04B-41C3-BB76-7A58C651ADC7} -> Spyware.WinAD : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{B9898026-BFBF-479F-9E52-E8986129A9B3} -> Adware.eZula : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{BD808120-D401-4A2F-B027-F83F3D6B4835} -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{C0EA053A-9589-4D97-B961-DE7A14A6B324} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{C2D52590-5FCA-4806-B06D-181062A3BCF5} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{C6CB4824-EADA-4886-92BC-3455F32E5A55} -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{C70D4C61-D313-4DEE-AE8F-7B58FC5FA175} -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{CC001CFD-75A9-4B46-82F5-A251C901C5E9} -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{D15519D1-2C1E-4E32-A0B4-2ABE78DC5107} -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{DD4B8B9F-4A15-461E-9FAF-BE1C45FAC4BD} -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{E290149E-632B-4719-8FA6-F262E36FA0D8} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{ED486BCA-B899-4855-9CE7-A862FDCB2884} -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-08-2005 - 20-33-10.SBU/{F6AE2B33-1D41-45EC-BA70-8C912BCFFE6C} -> Adware.eZula : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-09-2005 - 15-38-40.SBU/{75DB7773-DCA6-4445-B390-656BF7640DED} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-09-2005 - 15-38-40.SBU/{BD824EA2-3534-4A28-9A87-6F78C938F7CC} -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\Quarantine\Quarantine - 08-09-2005 - 15-38-40.SBU/{F7B88362-92E9-449C-8105-1424C2A9DA2B} -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\dm16gt.dLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kfdhe220.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\wintask.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\Temp\f6302125.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with backup


::Report End

Finally, the L2mfix log:

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1212 'explorer.exe'
Killing PID 1212 'explorer.exe'
Killing PID 1212 'explorer.exe'
Killing PID 1212 'explorer.exe'
Killing PID 1212 'explorer.exe'
Killing PID 1212 'explorer.exe'
Killing PID 1212 'explorer.exe'
Killing PID 1212 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1308 'rundll32.exe'
Killing PID 1484 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\Ardiodev.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Ardiodev.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ivpeers.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ivpeers.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhwebdvd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhwebdvd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\satupapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\satupapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\Ardiodev.dll
Successfully Deleted: C:\WINDOWS\system32\Ardiodev.dll
deleting: C:\WINDOWS\system32\Ardiodev.dll
Successfully Deleted: C:\WINDOWS\system32\Ardiodev.dll
deleting: C:\WINDOWS\system32\ivpeers.dll
Successfully Deleted: C:\WINDOWS\system32\ivpeers.dll
deleting: C:\WINDOWS\system32\ivpeers.dll
Successfully Deleted: C:\WINDOWS\system32\ivpeers.dll
deleting: C:\WINDOWS\system32\mhwebdvd.dll
Successfully Deleted: C:\WINDOWS\system32\mhwebdvd.dll
deleting: C:\WINDOWS\system32\mhwebdvd.dll
Successfully Deleted: C:\WINDOWS\system32\mhwebdvd.dll
deleting: C:\WINDOWS\system32\satupapi.dll
Successfully Deleted: C:\WINDOWS\system32\satupapi.dll
deleting: C:\WINDOWS\system32\satupapi.dll
Successfully Deleted: C:\WINDOWS\system32\satupapi.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: Ardiodev.dll (164 bytes security) (deflated 48%)
adding: ivpeers.dll (164 bytes security) (deflated 48%)
adding: mhwebdvd.dll (164 bytes security) (deflated 48%)
adding: satupapi.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 60%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 81%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (deflated 80%)
adding: test2.txt (164 bytes security) (deflated 41%)
adding: test3.txt (164 bytes security) (deflated 41%)
adding: test5.txt (164 bytes security) (deflated 41%)
adding: xfind.txt (164 bytes security) (deflated 76%)
adding: backregs/0BAB64F8-42E9-4A93-9E59-EE561B737C2E.reg (164 bytes security) (deflated 70%)
adding: backregs/76EA84C9-AFAD-4DAF-83EA-E8805F6EE628.reg (164 bytes security) (deflated 70%)
adding: backregs/78087447-7378-4278-83C5-EE965CA2C081.reg (164 bytes security) (deflated 70%)
adding: backregs/A3FF3FCE-3BA2-4159-843E-46ECB556CD87.reg (164 bytes security) (deflated 70%)
adding: backregs/B63DA57A-A02C-4E53-A790-2F2B807CA2A3.reg (164 bytes security) (deflated 70%)
adding: backregs/DA118914-4EDC-4F0E-A418-1F0C5B557AF2.reg (164 bytes security) (deflated 70%)
adding: backregs/DAD13296-4463-415B-900F-8B2106E4B6DD.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: Ardiodev.dll
deleting local copy: Ardiodev.dll
deleting local copy: ivpeers.dll
deleting local copy: ivpeers.dll
deleting local copy: mhwebdvd.dll
deleting local copy: mhwebdvd.dll
deleting local copy: satupapi.dll
deleting local copy: satupapi.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\Ardiodev.dll
C:\WINDOWS\system32\Ardiodev.dll
C:\WINDOWS\system32\ivpeers.dll
C:\WINDOWS\system32\ivpeers.dll
C:\WINDOWS\system32\mhwebdvd.dll
C:\WINDOWS\system32\mhwebdvd.dll
C:\WINDOWS\system32\satupapi.dll
C:\WINDOWS\system32\satupapi.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A3FF3FCE-3BA2-4159-843E-46ECB556CD87}"=-
"{DA118914-4EDC-4F0E-A418-1F0C5B557AF2}"=-
"{DAD13296-4463-415B-900F-8B2106E4B6DD}"=-
"{78087447-7378-4278-83C5-EE965CA2C081}"=-
"{0BAB64F8-42E9-4A93-9E59-EE561B737C2E}"=-
"{76EA84C9-AFAD-4DAF-83EA-E8805F6EE628}"=-
"{B63DA57A-A02C-4E53-A790-2F2B807CA2A3}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A3FF3FCE-3BA2-4159-843E-46ECB556CD87}]
[-HKEY_CLASSES_ROOT\CLSID\{DA118914-4EDC-4F0E-A418-1F0C5B557AF2}]
[-HKEY_CLASSES_ROOT\CLSID\{DAD13296-4463-415B-900F-8B2106E4B6DD}]
[-HKEY_CLASSES_ROOT\CLSID\{78087447-7378-4278-83C5-EE965CA2C081}]
[-HKEY_CLASSES_ROOT\CLSID\{0BAB64F8-42E9-4A93-9E59-EE561B737C2E}]
[-HKEY_CLASSES_ROOT\CLSID\{76EA84C9-AFAD-4DAF-83EA-E8805F6EE628}]
[-HKEY_CLASSES_ROOT\CLSID\{B63DA57A-A02C-4E53-A790-2F2B807CA2A3}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


~ RS
Last edited by Remote Saxon; 08-10-2005 at 08:17 AM.
Remote Saxon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2005, 08:57 AM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,492
OS: N/A


Pursuant to MicroBell's post...

Please visit WindowsUpdate & install All Critical Updates (except SP2).

When you have done that, reboot your computer & post a fresh Hijackthis log.

Thank you.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2005, 10:17 AM   #5 (permalink)
Registered User
 
Join Date: Mar 2005
Posts: 48
OS: XP


I believe everything is updated, so here's another new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:02 AM, on 8/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: PopupSentry Class - {00000000-6C30-11D8-9363-000AE6309657} - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSBHO.DLL
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{639977F1-9012-4BF8-B097-AE27A9EF88FC}: NameServer = 68.94.156.1 68.94.156.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pop-Up Sentry! Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~ RS
Remote Saxon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2005, 11:45 AM   #6 (permalink)
Moderator, Microsoft Support
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2


Quote:
I believe everything is updated, so here's another new HijackThis log:

Platform: Windows XP (WinNT 5.01.2600)
I disagree.

We need to get the Service Pack 1 installed along with the Critical Updates required to keep you from getting re-infected. If you don't get the service packs, you're wasting everybodys time.

Try again please. In Internet Explorer:

Quote:
Your operating system is outdated. You're susceptible to infections that may otherwise be prevented on a properly updated system. Please visit the Windows Update site and install all available Critical Updates. Patch your system with the most current security fixes and plug all known vulnerabilities.
__________________
POADB is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2005, 12:24 PM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,492
OS: N/A


You can get Service Pack directly from here.

http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2005, 02:33 PM   #8 (permalink)
Registered User
 
Join Date: Mar 2005
Posts: 48
OS: XP


I installed the Service Pack.

I believe the command prompt window has stopped showing up from time to time, don't know what in hell cause that.

Logfile of HijackThis v1.99.1
Scan saved at 3:28:14 PM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: PopupSentry Class - {00000000-6C30-11D8-9363-000AE6309657} - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSBHO.DLL
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{639977F1-9012-4BF8-B097-AE27A9EF88FC}: NameServer = 68.94.156.1 151.164.11.201
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pop-Up Sentry! Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~ RS
Remote Saxon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2005, 07:03 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,043
OS: WinXP and Vista


Hello,

Reboot into Safe Mode.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist:

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe

Delete the following files:

AUNPS2.DLL --Do a search for this one.
C:\WINDOWS\System32\exp.exe

Reboot into Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer
  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply

Please run another scan with HijackThis and post the log here along with the results of the ActiveScan.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried; 08-10-2005 at 07:19 PM.
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2005, 04:36 PM   #10 (permalink)
Registered User
 
Join Date: Mar 2005
Posts: 48
OS: XP


I wasn't able to find the two files you wanted me to delete, though I got rid of the two extensions in HijackThis.

Here's a new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:30:16 PM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: PopupSentry Class - {00000000-6C30-11D8-9363-000AE6309657} - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSBHO.DLL
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{639977F1-9012-4BF8-B097-AE27A9EF88FC}: NameServer = 151.164.17.201 68.94.156.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pop-Up Sentry! Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here's the Activescan log:


Incident Status Location

Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\Sskcwrd.dll
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Spyware:spyware/media-motor No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[Ardiodev.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[ivpeers.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[mhwebdvd.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[satupapi.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip[guard.tmp]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\Process.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1B8AB8CC-9EC9-4C0D-90E6-D7FF6F\D9C97BED-0440-43DC-8E6F-792782
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1EE98714-AA0D-4B5A-99A1-9ECF4C\160D3B37-7EC6-47DE-9D27-9CEC7B
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\258E8B18-8249-4DE6-8B9A-CFC84C\15D34E21-4D44-4A38-BDAF-CD82B6
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\258E8B18-8249-4DE6-8B9A-CFC84C\F4686E6D-C0C4-477C-8EA6-D95370
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2DB1B12E-5331-4871-864C-388D7D\2E30B881-FEFF-4D63-95D0-6A8605
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2DB1B12E-5331-4871-864C-388D7D\6827C7E3-D102-4699-84D5-CA90D1
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2DB1B12E-5331-4871-864C-388D7D\83BB27F3-C35F-4C1A-83FC-487AA1
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2DB1B12E-5331-4871-864C-388D7D\E416B5A5-C385-4B85-A84D-F47684
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\60520D7C-D910-4DE5-90C5-A58E3A\710137AA-F14E-4CC4-A624-AED32C
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7E64B0C6-E89E-40F7-9E8A-4F669B\A892C2CB-B6F8-4DB2-A973-14714A
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\95C7D919-2A9F-4A2A-8EFD-9DE634\B9008B2C-8DB2-4D1C-B9D1-379EE6
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B6118D1C-14BC-4257-A2C3-91DDEC\90770117-04F4-47A8-96C2-483B99
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B9A224F5-FD40-4A4B-A77F-FCA33A\09D9DD68-0298-40AC-A8D4-31A687
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EB0D6EEE-3BB9-473A-BBF5-9ED070\9572DC85-AC1B-4533-AA73-50482B

I think I shoudl've deleated the Quarantine folders first

How does it look thus far?

~ RS
Remote Saxon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2005, 04:49 PM   #11 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,492
OS: N/A


Thank you for updating to SP1.

We are finished with the L2M tool. Please delete the L2Mfix folder.
Also delete the quarantined files from Microsoft AntiSpyware.

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
  1. In the popup box that appears, type in C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\Sskcwrd.dll
  2. Click the Open button.
  3. Click NO when prompted to restart your computer.
  4. Repeat steps 1-2 for this file:
    C:\WINDOWS\cfgmgr52.ini
  5. Click YES when prompted to restart your computer.

With that, Your system is clean

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Clear & reset System Restore's cache
    • click Start >> Run - type SYSDM.CPL & press Enter
    • Select the System Restore Tab
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    • Then untick the same checkbox & click OK
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.

  3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources

  4. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls

  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will further enhance your safety
  • IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

  • MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here > Using Winpatrol to protect your computer from malicious software
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

Please remember to update Windows to Service Pack 2
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2005, 05:39 PM   #12 (permalink)
Registered User
 
Join Date: Mar 2005
Posts: 48
OS: XP


Thanks for all your help. :D

~ RS
Remote Saxon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:32 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85