Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Random Pop-ups/Need Help
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 03-05-2006, 09:08 PM   #1 (permalink)
em1
Registered User
 
Join Date: Mar 2005
Posts: 183
OS: Windows XP


Random Pop-ups/Need Help
I may have downloaded files that contain a virus from LimeWire p2p. I have uninstalled limewire, but a limewire folder that I can't delete still remains in my program files. Also, I'm getting random internet explorer pop-ups pretty frequently. I'm running Windows 2000 on my computer.



Logfile of HijackThis v1.99.1
Scan saved at 8:01:07 PM, on 3/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /A "C:\WINDOWS\system32\E_S34.tmp"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\irl2l53o1.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Last edited by em1; 03-05-2006 at 09:12 PM. Reason: correction
em1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 03-05-2006, 09:25 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,179
OS: 2000 Pro; XP Pro; XP Home


Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

--------------------------------------



  1. Download and run - bfu.zip
  2. Checkmark the following boxes:
    • Use settings specified in script for the above option
    • Show log after script ends
  3. Click the Web button located on the top right corner
  4. Copy/Paste this url into the address bar of the Download script window:
    http://metallica.geekstogo.com/alcanshorty.bfu
  5. Execute the script by clicking the Execute button.
  6. When it finishes running, click the Save button for a copy of the log
  7. Post the log created by the script when you have completed the fix

--------------------------------------

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Do NOT depress any keys on your keyboard until the tool requests you to "press any key to reboot" Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log.txt does not open double click on it in the l2mfix folder and post that log.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 04:50 PM   #3 (permalink)
em1
Registered User
 
Join Date: Mar 2005
Posts: 183
OS: Windows XP


BFU Scan
BFU v1.00.9
Windows 2000 SP4 (WinNT 5.00.2195 SP4)
Script started at 3:48:08 PM, on 3/6/2006

Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\ERIC&T~1\LOCALS~1\Temp\~DF5407.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\ERIC&T~1\LOCALS~1\Temp\~DF583B.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\ERIC&T~1\LOCALS~1\Temp\~DFC892.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Script completed.
em1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 05:05 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,340
OS: N/A


Where's the log created by L2Mfix & the fresh HJT log?
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 05:13 PM   #5 (permalink)
em1
Registered User
 
Join Date: Mar 2005
Posts: 183
OS: Windows XP


here they are
Logfile of HijackThis v1.99.1
Scan saved at 408 PM, on 3/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Eric & Tabitha\Desktop\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /A "C:\WINDOWS\system32\E_S34.tmp"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\h20q0cd5ef0.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


L2mfix 010406
Creating Account.
The command completed successfully.


Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 168 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 188 'winlogon.exe'
Killing PID 188 'winlogon.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 960 'explorer.exe'
Killing PID 960 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1132 'rundll32.exe'
Killing PID 1132 'rundll32.exe'
Error 0x5 : Access is denied.

Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\enr6l19s1.dll
Successfully Deleted: C:\WINDOWS\system32\enr6l19s1.dll
Deleting: C:\WINDOWS\system32\fpls0337e.dll
Successfully Deleted: C:\WINDOWS\system32\fpls0337e.dll
Deleting: C:\WINDOWS\system32\h20q0cd5ef0.dll
Successfully Deleted: C:\WINDOWS\system32\h20q0cd5ef0.dll
Deleting: C:\WINDOWS\system32\m0po0a73ed.dll
Successfully Deleted: C:\WINDOWS\system32\m0po0a73ed.dll
Deleting: C:\WINDOWS\system32\mpxml3.dll
Successfully Deleted: C:\WINDOWS\system32\mpxml3.dll
Deleting: C:\WINDOWS\system32\p8r40i9qe8.dll
Successfully Deleted: C:\WINDOWS\system32\p8r40i9qe8.dll
Deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h20q0cd5ef0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\enr6l19s1.dll
C:\WINDOWS\system32\fpls0337e.dll
C:\WINDOWS\system32\h20q0cd5ef0.dll
C:\WINDOWS\system32\m0po0a73ed.dll
C:\WINDOWS\system32\mpxml3.dll
C:\WINDOWS\system32\p8r40i9qe8.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A9872A3E-1425-40D6-A4FC-B2A6AE381D13}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A9872A3E-1425-40D6-A4FC-B2A6AE381D13}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A9872A3E-1425-40D6-A4FC-B2A6AE381D13}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A9872A3E-1425-40D6-A4FC-B2A6AE381D13}\InprocServer32]
@="C:\\WINDOWS\\system32\\mpxml3.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A9872A3E-1425-40D6-A4FC-B2A6AE381D13}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A9872A3E-1425-40D6-A4FC-B2A6AE381D13}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/enr6l19s1.dll (92 bytes security) (deflated 4%)
adding: dlls/fpls0337e.dll (92 bytes security) (deflated 5%)
adding: dlls/guard.tmp (92 bytes security) (deflated 5%)
adding: dlls/h20q0cd5ef0.dll (92 bytes security) (deflated 5%)
adding: dlls/m0po0a73ed.dll (92 bytes security) (deflated 4%)
adding: dlls/mpxml3.dll (92 bytes security) (deflated 5%)
adding: dlls/p8r40i9qe8.dll (92 bytes security) (deflated 5%)
adding: backregs/A9872A3E-1425-40D6-A4FC-B2A6AE381D13.reg (92 bytes security) (deflated 70%)
adding: backregs/notibac.reg (92 bytes security) (deflated 85%)
adding: backregs/shell.reg (92 bytes security) (deflated 74%)
em1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-06-2006, 05:31 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,340
OS: N/A


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\h20q0cd5ef0.dll (file missing)


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-11-2006, 05:32 PM   #7 (permalink)
em1
Registered User
 
Join Date: Mar 2005
Posts: 183
OS: Windows XP


hijack, ewido, and kaspersky logs
Thank you very much for the help w/ my pc problems. Below are the logs:


Logfile of HijackThis v1.99.1
Scan saved at 4:28:04 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Eric & Tabitha\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /A "C:\WINDOWS\system32\E_S34.tmp"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:20:58 PM, 3/11/2006
+ Report-Checksum: 65B2A252

+ Scan result:

C:\gimmysmileys.exe -> Downloader.VB.xu : Cleaned with backup
C:\keyboard.exe -> Downloader.VB.xv : Cleaned with backup
C:\mousepad.exe -> Hijacker.VB.li : Cleaned with backup
C:\My Documents\l2mfix\backup.zip/dlls/enr6l19s1.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\backup.zip/dlls/fpls0337e.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\backup.zip/dlls/guard.tmp -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\backup.zip/dlls/h20q0cd5ef0.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\backup.zip/dlls/m0po0a73ed.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\backup.zip/dlls/mpxml3.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\backup.zip/dlls/p8r40i9qe8.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\dlls\enr6l19s1.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\dlls\fpls0337e.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\dlls\guard.tmp -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\dlls\h20q0cd5ef0.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\dlls\m0po0a73ed.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\dlls\mpxml3.dll -> Adware.Look2Me : Cleaned with backup
C:\My Documents\l2mfix\dlls\p8r40i9qe8.dll -> Adware.Look2Me : Cleaned with backup
:mozilla.7:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.8:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.9:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.10:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.19:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.21:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.22:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.23:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.24:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.25:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.26:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.27:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.28:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.29:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.30:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.33:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.34:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\iyzd5hrk.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.6:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.8:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.9:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.10:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.41:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.44:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.65:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.66:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.67:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.68:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.69:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.70:C:\WINDOWS\Application Data\Mozilla\Profiles\default\oypftari.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\VM.exe -> Hijacker.Small.dl : Cleaned with backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\iconu.exe -> Adware.Zestyfind : Cleaned with backup
C:\WINDOWS\lbbho.dll -> Adware.Neon : Cleaned with backup


::Report End





-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 11, 2006 15:02:50
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/03/2006
Kaspersky Anti-Virus database records: 181901
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 24485
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 4444 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.
em1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-11-2006, 06:54 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,179
OS: 2000 Pro; XP Pro; XP Home


That's looking much better.

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

---------------------------------------------------

Due to the level of infection, I'd like you to run this additional online scan, so we can be sure nothing else is lurking:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner
  1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------

Post those results, along with a new HJT log.

---------------------------------------------------

How is your system behaving now, please?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-11-2006, 11:00 PM   #9 (permalink)
em1
Registered User
 
Join Date: Mar 2005
Posts: 183
OS: Windows XP


highjack log and activescan log
My computer is a lot better. Whatever virus and spyware that were there had my cpu usage at 90+ %, its down to 0-15% now.

Logfile of HijackThis v1.99.1
Scan saved at 9:56:00 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Eric & Tabitha\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /A "C:\WINDOWS\system32\E_S34.tmp"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe





Incident Status Location

Adware:adware/clickalchemy Not disinfected C:\WINDOWS\ALCHEM.INI
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard1.dat
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/twain-tech Not disinfected C:\WINDOWS\TWAINTEC.INI
Adware:adware/savenow Not disinfected C:\PROGRAM FILES\VVSN
Potentially unwanted tool:application/winantivirus2006 Not disinfected C:\PROGRAM FILES\COMMON FILES\WinAntiVirus Pro 2006
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@azjmp[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@burstnet[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@go[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@statcounter[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@toplist[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@www.burstbeacon[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@azjmp[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@burstnet[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@go[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@statcounter[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@toplist[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Eric & Tabitha\Cookies\eric & tabitha@www.burstbeacon[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\My Documents\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\My Documents\l2mfix.exe[Process.exe]
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\WinAntiVirus Pro 2006\WapCHK.dll
em1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-12-2006, 12:48 AM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,179
OS: 2000 Pro; XP Pro; XP Home


Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies

Delete these files:

C:\WINDOWS\ALCHEM.INI
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\kwv2.dat
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\TWAINTEC.INI

If they resist deletion, boot to safe mode and delete them from there.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Open Uninstall Manager"
  • Highlight the following entries if present, then click "Delete"
  • When it asks if you are sure, click "Yes"
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-12-2006, 12:56 AM   #11 (permalink)
em1
Registered User
 
Join Date: Mar 2005
Posts: 183
OS: Windows XP


None of those files were in there or under the uninstall manager. And my "windows" folder is named "WINNT"
em1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-12-2006, 08:19 AM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,179
OS: 2000 Pro; XP Pro; XP Home


Apologies, what I wanted was a list of installed programs:

Create an uninstall list:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Open Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from the notepad file into your post

-------------------------------

According to your HJT log, and Panda, you have an OS installed in C:\Windows

It is in this folder the infected files reside. Are you saying there is no Windows folder on your C drive?

Are you sure you looked at the right thread?

This might be one of the problems of you and your brother logging in under the same user name, which is not recommended, or encouraged, by the way.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 03-12-2006 at 08:22 AM.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-12-2006, 12:35 PM   #13 (permalink)
Registered User
 
mronederful1911's Avatar
 
Join Date: Mar 2006
Posts: 47
OS: Windows XP


same computer, new username
Here is the new hijack uninstall log


Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Acrobat Reader 3.01
ArcSoft Software Suite
Avatar Sizer
AVG Free Edition
AviSynth 2.5
CCleaner (remove only)
CleanUp!
DiscWizard for Windows
Easy CD Creator 5 Basic
EPSON Printer Software
ewido anti-malware
HijackThis 1.99.1
IBM System Information
Internet Explorer Q903235
iPod for Windows 2005-09-23
iTunes
Kaspersky On-line Scanner
Logitech Desktop Messenger
Logitech MouseWare 9.79
Macromedia Flash Player 8
MDP3880 PCI Modem
Microsoft .NET Framework 1.1
Microsoft Internet Explorer 6 SP1
Microsoft Office XP Professional with FrontPage
Microsoft VGX Q833989
MSN Messenger 6.2
Nikon View 6
Panda ActiveScan
PSP Video 9 1.62
QuickTime
RealPlayer
Rescue Disk
SBC Yahoo! Applications
Spybot - Search & Destroy 1.4
System Files Update
Trivial Pursuit Millennium Edition
Visual IP InSight(SBC)
Windows Media Player system update (9 Series)
WinZip
mronederful1911 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-12-2006, 02:50 PM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,179
OS: 2000 Pro; XP Pro; XP Home


Thanks, it's easier to keep track of this way....

Just to be sure....

Delete these files:

C:\WINDOWS\ALCHEM.INI
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\kwv2.dat
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\TWAINTEC.INI

Delete these folders:

C:\PROGRAM FILES\VVSN
C:\PROGRAM FILES\COMMON FILES\WinAntiVirus Pro 2006

If they resist deletion, boot to safe mode and delete them from there.

Run Panda one more time....if it's clean, you're good to go. If it has some results, post them....but for now, take heed of the following final instructions:

Well done. Your logs are clean. We still have a few items to address.


Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • tick on the checkbox - "Keep my computer up to date"
  • Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  • IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online antivirus scanners:

    Anti-Spyware Tutorial

    Here are two very good free Antivirus products which are available:
  • Avast!
  • AVG

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles


Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:30 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85