Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Pop-ups through Mozilla
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-30-2005, 08:24 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 8
OS: XP


Pop-ups through Mozilla
I've been having a fairly large problem with pop-ups just starting this past month. I have used both Spybot, and Ad-ware multiple times with no success in addition to the other steps metioned on this site. I've been using Mozilla Firefox for a couple of years now and this is the first time I have ever had a problem with pop ups. Below is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:31 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O1 - Hosts: 67.15.36.57 iris.phoenixrising.ws
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [rdcdwn] C:\WINDOWS\system32\rdcdwn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\c000ladm1d0a.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks in advance for anyhelp you can give me. the pop-ups are making it hard to get anything accomplished with this computer.
Last edited by d897y; 11-30-2005 at 08:26 PM.
d897y is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-30-2005, 10:15 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,184
OS: 2000 Pro; XP Pro; XP Home


You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Click "Install" to extract the contents to a newly created folder.

Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder, double click l2mfix.bat
  • Select option #2 for Run Fix by typing 2 and then pressing enter.
Your desktop and icons will disappear as L2mfix scans/disinfects your computer.
When finished, you will be required to press any key to automatically reboot.
On the reboot notepad will open with a log. Copy/paste the contents of that log back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder to locate log.txt.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2005, 05:28 AM   #3 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 8
OS: XP


****************************************************************************
C:\WINDOWS\system32\en24l1fq1.dll
C:\WINDOWS\system32\h4n00e5meh.dll
C:\WINDOWS\system32\ididib.dll
C:\WINDOWS\system32\kydmac.dll
C:\WINDOWS\system32\lv0m09d1e.dll
C:\WINDOWS\system32\mpobjs.dll
C:\WINDOWS\system32\nbprovau.dll
C:\WINDOWS\system32\WKNG.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{146DB0A4-9A9F-423C-9EFC-E784D12E7238}"=-
"{65E6119E-33CE-4D70-916C-19043719DDAA}"=-
[-HKEY_CLASSES_ROOT\CLSID\{146DB0A4-9A9F-423C-9EFC-E784D12E7238}]
[-HKEY_CLASSES_ROOT\CLSID\{65E6119E-33CE-4D70-916C-19043719DDAA}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Checking for L2MFix account(0=no 1=yes):
0



Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:28:03 AM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O1 - Hosts: 67.15.36.57 iris.phoenixrising.ws
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [rdcdwn] C:\WINDOWS\system32\rdcdwn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: Uninstall RCT2 Wacky Worlds - C:\WINDOWS\system32\c000ladm1d0a.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for the quick Reply
d897y is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2005, 10:06 AM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,184
OS: 2000 Pro; XP Pro; XP Home


Your log.txt looks incomplete.....please run Option 2 once again, and post the resulting new log.txt.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2005, 03:05 PM   #5 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 8
OS: XP


This one looks alittle more complete to me. I just extracted it again into my program files not my desktop.

L2mfix Beta 112705
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 572 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 644 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 260 'explorer.exe'
Killing PID 260 'explorer.exe'
Killing PID 260 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1536 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\c000ladm1d0a.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en08l1du1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en24l1fq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h4n00e5meh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ididib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir6ml5j11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kydmac.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv0m09d1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpobjs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvutilse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbprovau.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q6pslg7716.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s0pu0a79ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WKNG.DLL
1 file(s) copied.
deleting: C:\WINDOWS\system32\c000ladm1d0a.dll
Successfully Deleted: C:\WINDOWS\system32\c000ladm1d0a.dll
deleting: C:\WINDOWS\system32\en08l1du1.dll
Successfully Deleted: C:\WINDOWS\system32\en08l1du1.dll
deleting: C:\WINDOWS\system32\en24l1fq1.dll
Successfully Deleted: C:\WINDOWS\system32\en24l1fq1.dll
deleting: C:\WINDOWS\system32\h4n00e5meh.dll
Successfully Deleted: C:\WINDOWS\system32\h4n00e5meh.dll
deleting: C:\WINDOWS\system32\ididib.dll
Successfully Deleted: C:\WINDOWS\system32\ididib.dll
deleting: C:\WINDOWS\system32\ir6ml5j11.dll
Successfully Deleted: C:\WINDOWS\system32\ir6ml5j11.dll
deleting: C:\WINDOWS\system32\kydmac.dll
Successfully Deleted: C:\WINDOWS\system32\kydmac.dll
deleting: C:\WINDOWS\system32\lv0m09d1e.dll
Successfully Deleted: C:\WINDOWS\system32\lv0m09d1e.dll
deleting: C:\WINDOWS\system32\mpobjs.dll
Successfully Deleted: C:\WINDOWS\system32\mpobjs.dll
deleting: C:\WINDOWS\system32\mvutilse.dll
Successfully Deleted: C:\WINDOWS\system32\mvutilse.dll
deleting: C:\WINDOWS\system32\nbprovau.dll
Successfully Deleted: C:\WINDOWS\system32\nbprovau.dll
deleting: C:\WINDOWS\system32\q6pslg7716.dll
Successfully Deleted: C:\WINDOWS\system32\q6pslg7716.dll
deleting: C:\WINDOWS\system32\s0pu0a79ed.dll
Successfully Deleted: C:\WINDOWS\system32\s0pu0a79ed.dll
deleting: C:\WINDOWS\system32\WKNG.DLL
Successfully Deleted: C:\WINDOWS\system32\WKNG.DLL


Zipping up files for submission:
zip warning: name not matched: guard.tmp

zip error: Nothing to do! (backup.zip)
adding: Program Files/l2mfix/backregs/F604C8C8-3A84-4524-B521-3F26D1FEF0AE.reg (188 bytes security) (deflated 70%)
adding: Program Files/l2mfix/backregs/notibac.reg (188 bytes security) (deflated 87%)
adding: Program Files/l2mfix/backregs/shell.reg (188 bytes security) (deflated 74%)

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: c000ladm1d0a.dll
deleting local copy: en08l1du1.dll
deleting local copy: en24l1fq1.dll
deleting local copy: h4n00e5meh.dll
deleting local copy: ididib.dll
deleting local copy: ir6ml5j11.dll
deleting local copy: kydmac.dll
deleting local copy: lv0m09d1e.dll
deleting local copy: mpobjs.dll
deleting local copy: mvutilse.dll
deleting local copy: nbprovau.dll
deleting local copy: q6pslg7716.dll
deleting local copy: s0pu0a79ed.dll
deleting local copy: WKNG.DLL

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\c000ladm1d0a.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\c000ladm1d0a.dll
C:\WINDOWS\system32\en08l1du1.dll
C:\WINDOWS\system32\en24l1fq1.dll
C:\WINDOWS\system32\h4n00e5meh.dll
C:\WINDOWS\system32\ididib.dll
C:\WINDOWS\system32\ir6ml5j11.dll
C:\WINDOWS\system32\kydmac.dll
C:\WINDOWS\system32\lv0m09d1e.dll
C:\WINDOWS\system32\mpobjs.dll
C:\WINDOWS\system32\mvutilse.dll
C:\WINDOWS\system32\nbprovau.dll
C:\WINDOWS\system32\q6pslg7716.dll
C:\WINDOWS\system32\s0pu0a79ed.dll
C:\WINDOWS\system32\WKNG.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F604C8C8-3A84-4524-B521-3F26D1FEF0AE}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F604C8C8-3A84-4524-B521-3F26D1FEF0AE}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
adding: dlls/c000ladm1d0a.dll (188 bytes security) (deflated 4%)
adding: dlls/en08l1du1.dll (188 bytes security) (deflated 4%)
adding: dlls/en24l1fq1.dll (188 bytes security) (deflated 4%)
adding: dlls/h4n00e5meh.dll (188 bytes security) (deflated 4%)
adding: dlls/ididib.dll (188 bytes security) (deflated 5%)
adding: dlls/ir6ml5j11.dll (188 bytes security) (deflated 5%)
adding: dlls/kydmac.dll (188 bytes security) (deflated 5%)
adding: dlls/lv0m09d1e.dll (188 bytes security) (deflated 5%)
adding: dlls/mpobjs.dll (188 bytes security) (deflated 5%)
adding: dlls/mvutilse.dll (188 bytes security) (deflated 4%)
adding: dlls/nbprovau.dll (188 bytes security) (deflated 5%)
adding: dlls/q6pslg7716.dll (188 bytes security) (deflated 4%)
adding: dlls/s0pu0a79ed.dll (188 bytes security) (deflated 4%)
adding: dlls/WKNG.DLL (188 bytes security) (deflated 4%)



and the hijackthis log:



Logfile of HijackThis v1.99.1
Scan saved at 5:04:33 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O1 - Hosts: 67.15.36.57 iris.phoenixrising.ws
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [rdcdwn] C:\WINDOWS\system32\rdcdwn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\c000ladm1d0a.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
d897y is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2005, 06:46 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,184
OS: 2000 Pro; XP Pro; XP Home


Way mo' betta

In addition, please do this:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the Microsoft AntiSpyware icon located in the system tray
  • Click on Security Agents Status (Enabled)
  • Click on Disable Real-time Protection


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKCU\..\Run: [rdcdwn] C:\WINDOWS\system32\rdcdwn.exe
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\c000ladm1d0a.dll (file missing)

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Delete the following Files if they exist:

C:\WINDOWS\system32\rdcdwn.exe

Restart and run a new HijackThis scan. Save the log file and post it here.


Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


MicroSoft AntiSpyware Program:

Because of recent changes in the way this program now defines and detects spyware/adware it is no longer recommend as a spyware removal tool. Microsoft as downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore”

These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted!! I recommend you remove it

Here are some other tools which will do the job quite well:

AdawareSE (free)
Spybot Search and Destroy (Teatimer Enabled) (free)
IESpy-Ad (free)
SpywareBlaster (free)
WinPatrol (free)
CounterSpy (free trial).
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-03-2005, 02:32 PM   #7 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 8
OS: XP


It seems that everything is fixed!! I owe you guys one, I was having alot of troubles with this popup problem. I also ran the online scan but kept having troubles viewing the results. I dont think there is really anything else damaged that needs to be fixed so I'm not gonna worry about it.

Thanks again for your help, you guys are life savers!!
d897y is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-03-2005, 03:32 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,184
OS: 2000 Pro; XP Pro; XP Home


If you would please post the HJT log and the Ewido results, we could determine if all is well. We would at that point give you final instructions and prevention tools/techniques, to help keep you clean in the future.

You had a trojan onboard, and they can often have "friends".

Another online scanner is available here:

Perform an online scan with Internet Explorer with

Kaspersky Online Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-03-2005, 06:46 PM   #9 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 8
OS: XP


Ewido Results:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:52:23 AM, 12/2/2005
+ Report-Checksum: 701AFF60

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8C505A6B-124B-4768-8FD3-1A066C839848} -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00D6A7E7-4A97-456F-848A-3B75BF7554D7} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D7E3B41-23CE-469B-BE1B-A64B877923E1} -> Spyware.BlazeFind : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44BE0690-5429-47F0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0} -> Spyware.Webhancer : Cleaned with backup
HKU\S-1-5-21-1588114589-1540747887-2110669843-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
:mozilla.10:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.11:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.18:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.22:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.36:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.38:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.39:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.40:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.41:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.42:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.43:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.44:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9rps23d7.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\WINDOWS\8040.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WinAdServX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\system32\3.exe -> Downloader.VB.qr : Cleaned with backup
C:\WINDOWS\system32\axuninstall.exe -> Spyware.BlazeFind : Cleaned with backup
C:\WINDOWS\system32\dwn_32.dll -> Logger.Agent.gk : Cleaned with backup
C:\WINDOWS\system32\dwn_32.exe -> Logger.Agent.gk : Cleaned with backup
C:\WINDOWS\system32\SHAgentNew.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\SkyAffiliate.exe -> Spyware.Pacer : Cleaned with backup


::Report End

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:45:25 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O1 - Hosts: 67.15.36.57 iris.phoenixrising.ws
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, December 03, 2005 20:37:45
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/12/2005
Kaspersky Anti-Virus database records: 163139
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 110966
Number of viruses found: 41
Number of infected objects: 168
Number of suspicious objects: 0
Duration of the scan process: 5245 sec

Infected Object Name - Virus Name
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Program Files\Norton AntiVirus\Quarantine\0DFF18BF.part Infected: Email-Worm.Win32.Torvil.d
C:\Program Files\Norton AntiVirus\Quarantine\26EF257F Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\32804B5F Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\3DB93437 Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\41D9223A Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\6604438E Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\66ED676D.eml Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\67155F41.eml Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\6725312F.eml Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\67537CFD Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\675626FA Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\684849F0.eml Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\68581BDE.eml Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\687515BD.eml Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\688667AB.eml Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\68E8533F Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\7849295E Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\7E5E2708 Infected: Net-Worm.Win32.Nimda
C:\Program Files\Norton AntiVirus\Quarantine\7F76530A Infected: Net-Worm.Win32.Nimda
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP629\A0067870.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP629\A0067870.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP629\A0067874.exe/data0004 Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP629\A0067874.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP681\A0084223.exe Infected: not-a-virus:AdWare.Win32.WinAD.bl
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP681\A0084224.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP681\A0084245.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP681\A0084253.exe Infected: not-a-virus:AdWare.Win32.WinAD.bl
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP681\A0084254.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0084276.exe Infected: not-a-virus:AdWare.Win32.WinAD.bl
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085248.dll Infected: not-a-virus:AdWare.Win32.E2Give.c
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085252.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085488.dll Infected: not-a-virus:AdWare.Win32.E2Give.c
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085489.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085493.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085498.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085507.exe Infected: Trojan-Downloader.Win32.Small.ayl
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085524.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085526.exe/run.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085526.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085527.com Infected: Backdoor.Win32.IRCBot.gw
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085541.dll Infected: not-a-virus:AdWare.Win32.E2Give.c
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085544.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085550.exe Infected: Trojan-Downloader.Win32.VB.ri
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085551.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085552.exe Infected: Trojan-Downloader.Win32.TSUpdate.o
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085573.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP682\A0085575.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085607.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085609.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085615.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085616.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085621.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085625.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085631.dll Infected: not-a-virus:AdWare.Win32.E2Give.c
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085632.exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085635.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085639.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085644.dll Infected: not-a-virus:AdWare.Win32.E2Give.c
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085645.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085649.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085652.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085653.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085657.dll Infected: not-a-virus:AdWare.Win32.Relevance.c
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085660.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085671.exe Infected: Backdoor.Win32.SdBot.gen
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085680.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.a
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085681.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085682.exe Infected: Trojan.Win32.Zapchast
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085683.exe Infected: Trojan-Downloader.Win32.Small.afq
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085686.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP683\A0085694.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP684\A0085704.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP684\A0085710.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP684\A0085714.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP684\A0085715.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP684\A0085721.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP684\A0085725.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP685\A0085742.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP685\A0085746.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP685\A0085751.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP685\A0085757.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP685\A0085761.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP686\A0085781.exe Infected: Trojan-Downloader.Win32.TSUpdate.l
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP686\A0085846.exe Infected: Trojan-Downloader.Win32.Small.bgl
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP686\A0085848.exe Infected: not-a-virus:AdWare.Win32.Wintol.s
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP686\A0085849.dll Infected: not-a-virus:AdWare.Win32.E2Give.c
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP686\A0085851.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP686\A0085855.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP686\A0085880.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP686\A0085881.dll Infected: not-a-virus:AdWare.Win32.Mirar.b
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP686\A0085883.exe Infected: not-a-virus:AdWare.Win32.WinAD.bl
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP687\A0085908.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP687\A0085912.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP687\A0085918.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP687\A0085924.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP691\A0086042.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP691\A0086044.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP691\A0086058.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP691\A0086059.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP691\A0086078.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP691\A0086079.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP693\A0087078.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087185.exe Infected: Worm.Win32.VB.an
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087187.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087188.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087189.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087192.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087192.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.f
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087192.exe Infected: Trojan-Downloader.Win32.Keenval.f
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087194.exe/data0001 Infected: not-a-virus:AdWare.Win32.MDH.a
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087194.exe Infected: not-a-virus:AdWare.Win32.MDH.a
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087197.ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087198.exe Infected: not-a-virus:AdWare.Win32.DealHelper.ac
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087236.exe Infected: Worm.Win32.VB.an
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP695\A0087237.exe Infected: Worm.Win32.VB.an
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP696\A0087399.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP696\A0087401.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP697\A0087552.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP697\A0087556.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP698\A0087559.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP698\A0087563.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP700\A0087589.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP700\A0087593.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP700\A0087618.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP700\A0087622.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP700\A0087626.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP700\A0087632.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP700\A0087636.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087672.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087673.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087674.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087675.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087676.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087677.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087678.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087679.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087680.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087681.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087682.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087683.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087881.exe Infected: Trojan-Downloader.Win32.TSUpdate.n
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087882.exe Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087883.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087884.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087885.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087886.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087887.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087888.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087889.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087890.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087891.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087892.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087893.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087894.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087895.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0087896.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088885.exe/mrjj.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088885.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088886.exe Infected: not-a-virus:AdWare.Win32.AdURL.c
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088887.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088888.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088889.exe Infected: not-a-virus:AdWare.Win32.BlazeFind.e
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088890.dll Infected: Trojan-Spy.Win32.Agent.gk
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088891.exe Infected: Trojan.Win32.Delf.og
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088892.dll Infected: not-a-virus:AdWare.Win32.ShopAtHome.b
C:\System Volume Information\_restore{EEB1894C-121B-4525-8B10-95B9D6B6AFD8}\RP701\A0088893.exe Infected: not-a-virus:AdWare.Win32.Pacer.c
C:\WINDOWS\system32\in10b6s.dll Infected: Trojan.Win32.Revop.c

Scan process completed.
d897y is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-03-2005, 10:06 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,184
OS: 2000 Pro; XP Pro; XP Home


Thanks for the logs....still a nasty or two hanging around, and they were having quite a party on your system....please be patient and follow through to the end...we'll get you fixed up!

Do you use Everyone's Internet as your ISP?

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

Please use Symantec's guide to remove the Norton Quarantine files.

Download and unzip BFUzip from http://computercops.biz/zx/Merijn/bfu.zip
Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Delete this file:

C:\WINDOWS\system32\in10b6s.dll

If it resists deletion, reboot to safe mode and delete it from there.

From normal mode, Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Choose Save, NOT run, and save to your desktop
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

Please run Kaspersky online scan once more, post the results, and also post what should be your last HJT log.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2005, 12:35 PM   #11 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 8
OS: XP


I have been having trouple getting the trendmicro tool to work. I keep getting an error "unable to connect to privacy threat database." Is there another tool that will do the same thing as trend Micro?
d897y is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2005, 05:17 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,184
OS: 2000 Pro; XP Pro; XP Home


Well, hmmm...I'll have to look into TMAS, as it's been giving errors to several folks lately. I just was able to run it with no problems. Perhaps there were server issues at the time you attempted the scan. Try once more, then move on.

We can attack any leftovers manually. Just run Kaspersky one more time. How is your system behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-05-2005, 09:34 PM   #13 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 8
OS: XP


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:48 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O1 - Hosts: 67.15.36.57 iris.phoenixrising.ws
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

TMAS: I got it to work once, but couldnt get the second run to work (same error message as last time). Its kinda wierd how it works only once.

Started Scanning
Internet Cookies
Found 'a.websponsors.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'serving-sys.com' in 'Internet Explorer Cache'
Found 'fastclick.net' in 'Internet Explorer Cache'
Found 'trafficmp.com' in 'Internet Explorer Cache'
Found 'z1.adserver.com' in 'Internet Explorer Cache'
Found 'ads.cc214142.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'hits.clickandtrack.net' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'adopt.specificclick.net' in 'Internet Explorer Cache'
Found 'valueclick.com' in 'Internet Explorer Cache'
Found 'targetnet.com' in 'Internet Explorer Cache'
Found 'questionmarket.com' in 'Internet Explorer Cache'
Found 'casalemedia.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'realmedia.com' in 'Internet Explorer Cache'
Found 'as-us.falkag.net' in 'Internet Explorer Cache'
Found 'maxserving.com' in 'Internet Explorer Cache'
Found 'tradedoubler.com' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Found 'zedo.com' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'mediaplex.com' in 'Internet Explorer Cache'
Found 'citi.bridgetrack.com' in 'Internet Explorer Cache'
Found 'valuead.com' in 'Internet Explorer Cache'
Found 'advertising.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'. Error=5.
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'
Internet URL Shortcuts
Files and Directories
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'. Error=5.
Finished Cleaning


Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, December 05, 2005 23:30:55
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/12/2005
Kaspersky Anti-Virus database records: 163482
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 102716
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 3542 sec

Infected Object Name - Virus Name
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\RECYCLER\S-1-5-21-1588114589-1540747887-2110669843-1005\Dc2.dll Infected: Trojan.Win32.Revop.c

Scan process completed.
d897y is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2005, 08:02 AM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,184
OS: 2000 Pro; XP Pro; XP Home


Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy somewhere in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN TOOLSSVC


If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Empty your Recycle Bin.

Navigate to and detete this file if it exists:

C:\RECYCLER\S-1-5-21-1588114589-1540747887-2110669843-1005\Dc2.dll

Something to note about MSAS:

MicroSoft AntiSpyware Program:

Because of recent changes in the way this program now defines and detects spyware/adware it is no longer recommend as a spyware removal tool. Microsoft as downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore”

These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted!! I recommend you remove it

Here are some other tools which will do the job quite well:

AdawareSE (free)
Spybot Search and Destroy (Teatimer Enabled) (free)
IESpy-Ad (free)
SpywareBlaster (free)
WinPatrol (free)
CounterSpy (free trial).

Your logs appear clean....

Well done. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Create a new System Restore point
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK

Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • tick on the checkbox - "Keep my computer up to date"
  • Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  • IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online antivirus scanners:

    Anti-Spyware Tutorial

    Here are two very good free Antivirus products which are available:
  • Avast!
  • AVG

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles


Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2005, 08:27 AM   #15 (permalink)
Registered User
 
Join Date: Nov 2005
Posts: 8
OS: XP


Well everything seems to be perfect again. Thank you very much, I wouldn't have been able to do this by myself. Ill be very careful from now on to ensure that this wont happen again.
d897y is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:00 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85