Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
15 Posts
Discussion Starter · #1 ·
I picked up an annoying adware that I cannot rid my computer of. Symantec does nothing and attempting everything I know to delete it doesn't work. Please help. I have a Hijack this log attached. I am on a short time crunch and leaving town due to a family emergency. I have to try to resolve this in the next couple of hours if possible.

Logfile of HijackThis v1.99.1
Scan saved at 6:33:04 PM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Timex\Timex Trainer\TBEggLaunch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/23703?lswe=23703&lwsa=WeatherLocalUndeclared
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/23703?lswe=23703&lwsa=WeatherLocalUndeclared
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Timex Trainer Launcher.lnk = C:\Program Files\Timex\Timex Trainer\TBEggLaunch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098016149738
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\n4p40e7qeh.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

Thanks again!!
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

## IMPORTANT

# disconnect your computer from the internet before you begin scanning.
# close all unnecessary programs before starting
# do not use your computer as you scan.
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #3 ·
Here are both files:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:36 PM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Timex\Timex Trainer\TBEggLaunch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/23703?lswe=23703&lwsa=WeatherLocalUndeclared
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/23703?lswe=23703&lwsa=WeatherLocalUndeclared
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Timex Trainer Launcher.lnk = C:\Program Files\Timex\Timex Trainer\TBEggLaunch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098016149738
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe



********
6:47 PM: | Start of Session, Monday, October 24, 2005 |
6:47 PM: Spy Sweeper started
6:47 PM: Sweep initiated using definitions version 560
6:47 PM: Starting Memory Sweep
6:48 PM: Found Adware: icannnews
6:48 PM: Detected running threat: C:\WINDOWS\system32\n4p40e7qeh.dll (ID = 83)
6:49 PM: Detected running threat: C:\WINDOWS\system32\njtui1.dll (ID = 83)
6:51 PM: Memory Sweep Complete, Elapsed Time: 00:03:15
6:51 PM: Starting Registry Sweep
6:51 PM: Found Adware: cws-aboutblank
6:51 PM: HKCR\protocols\filter\text/html\ (1 subtraces) (ID = 114343)
6:51 PM: HKLM\software\classes\protocols\filter\text/html\ (1 subtraces) (ID = 115907)
6:51 PM: Found Adware: quicklink search toolbar
6:51 PM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
6:51 PM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
6:51 PM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
6:51 PM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
6:51 PM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
6:51 PM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
6:51 PM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
6:51 PM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
6:51 PM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
6:51 PM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
6:51 PM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
6:51 PM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
6:51 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
6:51 PM: Found Adware: instant access
6:51 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
6:51 PM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
6:51 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
6:51 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
6:51 PM: Found Adware: desktoptraffic
6:51 PM: HKU\S-1-5-21-833852115-1081847144-3717877319-1005\eeennn\ (280 subtraces) (ID = 124993)
6:51 PM: Registry Sweep Complete, Elapsed Time:00:00:35
6:51 PM: Starting Cookie Sweep
6:51 PM: Found Spy Cookie: yieldmanager cookie
6:51 PM: [email protected][2].txt (ID = 3751)
6:51 PM: Found Spy Cookie: adlegend cookie
6:51 PM: [email protected][1].txt (ID = 2074)
6:51 PM: Found Spy Cookie: hbmediapro cookie
6:51 PM: [email protected][2].txt (ID = 2768)
6:51 PM: Found Spy Cookie: specificclick.com cookie
6:51 PM: [email protected][2].txt (ID = 3400)
6:51 PM: Found Spy Cookie: adrevolver cookie
6:51 PM: [email protected][2].txt (ID = 2088)
6:51 PM: [email protected][3].txt (ID = 2088)
6:51 PM: Found Spy Cookie: addynamix cookie
6:51 PM: [email protected][1].txt (ID = 2062)
6:51 PM: Found Spy Cookie: belointeractive cookie
6:51 PM: [email protected][1].txt (ID = 2295)
6:51 PM: Found Spy Cookie: pointroll cookie
6:51 PM: [email protected][1].txt (ID = 3148)
6:51 PM: Found Spy Cookie: apmebf cookie
6:51 PM: [email protected][1].txt (ID = 2229)
6:51 PM: Found Spy Cookie: ask cookie
6:51 PM: [email protected][1].txt (ID = 2245)
6:51 PM: Found Spy Cookie: atwola cookie
6:51 PM: [email protected][1].txt (ID = 2255)
6:51 PM: Found Spy Cookie: about cookie
6:51 PM: [email protected][2].txt (ID = 2038)
6:51 PM: Found Spy Cookie: banner cookie
6:51 PM: [email protected][1].txt (ID = 2276)
6:51 PM: Found Spy Cookie: belnk cookie
6:51 PM: [email protected][1].txt (ID = 2292)
6:51 PM: Found Spy Cookie: zedo cookie
6:51 PM: [email protected][2].txt (ID = 3763)
6:51 PM: Found Spy Cookie: cardomain cookie
6:51 PM: [email protected][2].txt (ID = 2350)
6:51 PM: Found Spy Cookie: 2o7.net cookie
6:51 PM: [email protected][2].txt (ID = 1958)
6:51 PM: [email protected][2].txt (ID = 1958)
6:51 PM: [email protected][1].txt (ID = 2038)
6:51 PM: [email protected][1].txt (ID = 1958)
6:51 PM: Found Spy Cookie: adbureau cookie
6:51 PM: [email protected][1].txt (ID = 2060)
6:51 PM: Found Spy Cookie: customer cookie
6:51 PM: [email protected][1].txt (ID = 2481)
6:51 PM: [email protected][2].txt (ID = 2293)
6:51 PM: Found Spy Cookie: valuead cookie
6:51 PM: [email protected][1].txt (ID = 3627)
6:51 PM: Found Spy Cookie: go.com cookie
6:51 PM: [email protected][1].txt (ID = 2729)
6:51 PM: Found Spy Cookie: fe.lea.lycos.com cookie
6:51 PM: [email protected][2].txt (ID = 2660)
6:51 PM: [email protected][2].txt (ID = 2729)
6:51 PM: [email protected][2].txt (ID = 2728)
6:51 PM: [email protected][1].txt (ID = 2295)
6:51 PM: Found Spy Cookie: howstuffworks cookie
6:51 PM: [email protected][1].txt (ID = 2805)
6:51 PM: Found Spy Cookie: ic-live cookie
6:51 PM: [email protected][1].txt (ID = 2821)
6:51 PM: [email protected][1].txt (ID = 2729)
6:51 PM: [email protected][1].txt (ID = 2729)
6:51 PM: Found Spy Cookie: nextag cookie
6:51 PM: [email protected][2].txt (ID = 5014)
6:51 PM: Found Spy Cookie: overture cookie
6:51 PM: [email protected][1].txt (ID = 3105)
6:51 PM: Found Spy Cookie: partypoker cookie
6:51 PM: [email protected][2].txt (ID = 3111)
6:51 PM: Found Spy Cookie: pricegrabber cookie
6:51 PM: [email protected][1].txt (ID = 3186)
6:51 PM: [email protected][1].txt (ID = 3106)
6:51 PM: [email protected][1].txt (ID = 2729)
6:51 PM: Found Spy Cookie: server.iad.liveperson cookie
6:51 PM: [email protected][1].txt (ID = 3341)
6:51 PM: [email protected][1].txt (ID = 1958)
6:51 PM: [email protected][1].txt (ID = 2729)
6:51 PM: [email protected][2].txt (ID = 2729)
6:51 PM: Found Spy Cookie: cd freaks cookie
6:51 PM: [email protected][1].txt (ID = 2371)
6:51 PM: Found Spy Cookie: myaffiliateprogram.com cookie
6:51 PM: [email protected][1].txt (ID = 3032)
6:51 PM: Found Spy Cookie: yadro cookie
6:51 PM: [email protected][2].txt (ID = 3743)
6:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
6:51 PM: Starting File Sweep
6:51 PM: c:\program files\quicklinks (2 subtraces) (ID = -2147468660)
6:52 PM: Found Adware: ist yoursitebar
6:52 PM: ysbinstall_1003585[1].exe (ID = 166206)
6:52 PM: dc5.exe (ID = 166206)
6:52 PM: Found Trojan Horse: trojan-downloader-nextern
6:52 PM: dc4.exe (ID = 168231)
6:53 PM: Found Adware: begin2search
6:53 PM: mp3red51a.ico (ID = 51044)
6:55 PM: greenmovie2313.ico (ID = 51033)
6:56 PM: qllib.dll (ID = 168233)
6:57 PM: Found Adware: apropos
6:57 PM: dc3.exe (ID = 168722)
6:59 PM: drin[1].exe (ID = 168231)
6:59 PM: drin[1].cab (ID = 168162)
6:59 PM: b1b25.tmp (ID = 168162)
7:00 PM: wingenerics.dll (ID = 50187)
7:01 PM: contextplus[1].exe (ID = 168722)
7:01 PM: vh e23.ico (ID = 51074)
7:03 PM: qlutility.exe (ID = 168232)
7:04 PM: greenmovie2311.ico (ID = 51033)
7:05 PM: Found Adware: shopathomeselect
7:05 PM: kdlmjh8r.dat (ID = 75677)
7:05 PM: tm97pj39.dat (ID = 75645)
7:05 PM: dice21.ico (ID = 51024)
7:05 PM: greenmovie2313asa.ico (ID = 51033)
7:05 PM: kas pink1233.ico (ID = 51041)
7:05 PM: desktrf-b2s.exe (ID = 51040)
7:05 PM: Found Adware: abetterinternet
7:05 PM: installerv3.exe (ID = 83329)
7:07 PM: uninst.exe (ID = 73428)
7:11 PM: vh e2.ico (ID = 51074)
7:11 PM: dice2.ico (ID = 51024)
7:15 PM: Found Adware: effective-i toolbar
7:15 PM: ca17ca79-d76b-40cb-90b7-0ec731 (ID = 59838)
7:15 PM: Found System Monitor: potentially rootkit-masked files
7:15 PM: 00006784_435d5fb7_000a2b54 (ID = 0)
7:15 PM: 000026e9_435d5ffc_000dd31e (ID = 0)
7:15 PM: 000001eb_435d5ffc_000ebdd4 (ID = 0)
7:15 PM: 0000440d_435d615d_00038cbb (ID = 0)
7:15 PM: 00003d6c_43597a1a_0003f301 (ID = 0)
7:15 PM: 00004ae1_435d5fbf_000c06a3 (ID = 0)
7:15 PM: 00005f90_435976c1_000dd6cb (ID = 0)
7:16 PM: 00003d6c_435974f7_000aa6e3 (ID = 0)
7:16 PM: 00000029_43597da8_000bab9c (ID = 0)
7:16 PM: 00006784_43597c90_00003f71 (ID = 0)
7:16 PM: 00001649_435976dc_000d0e99 (ID = 0)
7:16 PM: 00000029_43597852_0004c770 (ID = 0)
7:16 PM: 00000029_43597b99_000d9dac (ID = 0)
7:16 PM: 00004ae1_43597c90_000746e8 (ID = 0)
7:16 PM: 00006784_43597952_000c15be (ID = 0)
7:16 PM: 00000bb3_435d601d_000316d6 (ID = 0)
7:16 PM: 00005af1_435976f1_0002842c (ID = 0)
7:16 PM: 00002ea6_435d601d_00064c54 (ID = 0)
7:16 PM: 000012db_435d6036_000923bc (ID = 0)
7:16 PM: 00003d6c_435d5fc1_00049511 (ID = 0)
7:16 PM: 00002cd6_435d5fc1_000c3901 (ID = 0)
7:16 PM: 0000767d_435d63eb_00060038 (ID = 0)
7:16 PM: 0000153c_435d6037_00029741 (ID = 0)
7:16 PM: 00007e87_435d6037_00055764 (ID = 0)
7:16 PM: drpdvc.exe (ID = 0)
7:16 PM: 00000029_43599c93_00030d1c (ID = 0)
7:16 PM: 00004509_435d63ec_0004094c (ID = 0)
7:16 PM: 000026a6_435d6391_00089b88 (ID = 0)
7:16 PM: index (ID = 0)
7:16 PM: 00004db7_435d615f_0004d0ee (ID = 0)
7:16 PM: dns (ID = 0)
7:16 PM: 0000701f_435d6394_0001f32e (ID = 0)
7:16 PM: 00000029_435d5fa9_000dae8c (ID = 0)
7:16 PM: 00001547_435d6161_000998dc (ID = 0)
7:16 PM: 0000390c_435d6053_00002661 (ID = 0)
7:16 PM: 00002cd6_435975e8_000ae798 (ID = 0)
7:16 PM: 000018be_435d5fab_0005c7a0 (ID = 0)
7:16 PM: 000072ae_435d5fdd_000ad9f6 (ID = 0)
7:16 PM: 00006952_435d5fdd_000bc4ac (ID = 0)
7:16 PM: 00005f90_435d5fe2_000947c8 (ID = 0)
7:16 PM: 00001649_435d5fe3_0001f7b4 (ID = 0)
7:16 PM: 00006df1_435d5fe3_00055451 (ID = 0)
7:16 PM: 000054de_435d61de_0000baf6 (ID = 0)
7:16 PM: 00005af1_435d5fea_000442be (ID = 0)
7:16 PM: 000041bb_435d5fea_0005c9ee (ID = 0)
7:16 PM: 00000f3e_435d606c_000064c4 (ID = 0)
7:16 PM: ace.dll (ID = 0)
7:16 PM: 00000099_435d607d_0005f66e (ID = 0)
7:16 PM: 00000124_435d608e_0000aea9 (ID = 0)
7:16 PM: dspetres.exe (ID = 0)
7:16 PM: svcund3d.exe (ID = 0)
7:16 PM: 00004ae1_435973fc_000c78b6 (ID = 0)
7:16 PM: 000039b3_435d629f_00045c1c (ID = 0)
7:16 PM: 000072ae_43597659_000129b8 (ID = 0)
7:16 PM: 0000074d_435d62e8_00061ddb (ID = 0)
7:16 PM: 00002d12_435d62e0_000a382e (ID = 0)
7:16 PM: 00004dc8_435d6304_000e5f4b (ID = 0)
7:16 PM: 00007a5a_435d63b6_000a0821 (ID = 0)
7:16 PM: 000066bb_435d631a_0005d709 (ID = 0)
7:16 PM: 0000428b_435d631d_0001041c (ID = 0)
7:16 PM: ch7m1394.sys (ID = 0)
7:16 PM: 00006df1_435976f1_000087a1 (ID = 0)
7:16 PM: 00004823_43597942_000b6d81 (ID = 0)
7:16 PM: 000018be_4359794c_0004500e (ID = 0)
7:16 PM: 00004ae1_43597953_000edb81 (ID = 0)
7:16 PM: 00002cd6_43597a43_000e52fe (ID = 0)
7:16 PM: 00004823_43597c89_000ec378 (ID = 0)
7:16 PM: 000018be_43597c8c_000efb76 (ID = 0)
7:16 PM: 00004823_43597e99_0000282c (ID = 0)
7:16 PM: ai_24-10-2005.log (ID = 0)
7:16 PM: 0000305e_435d615b_000cac9b (ID = 0)
7:16 PM: 00004823_435d5faa_0008a941 (ID = 0)
7:16 PM: 0000491c_435d615e_0003b979 (ID = 0)
7:16 PM: 00004d06_435d615e_000da831 (ID = 0)
7:16 PM: 00006443_435d6319_000d271c (ID = 0)
7:16 PM: 00005d03_435d6394_000a5ab6 (ID = 0)
7:16 PM: ai_21-10-2005.log (ID = 0)
7:16 PM: 00004823_4359721c_00071ec0 (ID = 0)
7:16 PM: 000018be_435972f3_00074290 (ID = 0)
7:16 PM: 00006784_43597303_0006d8f8 (ID = 0)
7:16 PM: 00006952_43597664_000315e6 (ID = 0)
7:16 PM: File Sweep Complete, Elapsed Time: 00:24:43
7:16 PM: Full Sweep has completed. Elapsed time 00:28:47
7:16 PM: Traces Found: 542
7:33 PM: Removal process initiated
7:33 PM: Quarantining All Traces: potentially rootkit-masked files
7:34 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
7:34 PM: 00006784_435d5fb7_000a2b54 is in use. It will be removed on reboot.
7:34 PM: 000026e9_435d5ffc_000dd31e is in use. It will be removed on reboot.
7:34 PM: 000001eb_435d5ffc_000ebdd4 is in use. It will be removed on reboot.
7:34 PM: 0000440d_435d615d_00038cbb is in use. It will be removed on reboot.
7:34 PM: 00003d6c_43597a1a_0003f301 is in use. It will be removed on reboot.
7:34 PM: 00004ae1_435d5fbf_000c06a3 is in use. It will be removed on reboot.
7:34 PM: 00005f90_435976c1_000dd6cb is in use. It will be removed on reboot.
7:34 PM: 00003d6c_435974f7_000aa6e3 is in use. It will be removed on reboot.
7:34 PM: 00000029_43597da8_000bab9c is in use. It will be removed on reboot.
7:34 PM: 00006784_43597c90_00003f71 is in use. It will be removed on reboot.
7:34 PM: 00001649_435976dc_000d0e99 is in use. It will be removed on reboot.
7:34 PM: 00000029_43597852_0004c770 is in use. It will be removed on reboot.
7:34 PM: 00000029_43597b99_000d9dac is in use. It will be removed on reboot.
7:34 PM: 00004ae1_43597c90_000746e8 is in use. It will be removed on reboot.
7:34 PM: 00006784_43597952_000c15be is in use. It will be removed on reboot.
7:34 PM: 00000bb3_435d601d_000316d6 is in use. It will be removed on reboot.
7:34 PM: 00005af1_435976f1_0002842c is in use. It will be removed on reboot.
7:34 PM: 00002ea6_435d601d_00064c54 is in use. It will be removed on reboot.
7:34 PM: 000012db_435d6036_000923bc is in use. It will be removed on reboot.
7:34 PM: 00003d6c_435d5fc1_00049511 is in use. It will be removed on reboot.
7:34 PM: 00002cd6_435d5fc1_000c3901 is in use. It will be removed on reboot.
7:34 PM: 0000767d_435d63eb_00060038 is in use. It will be removed on reboot.
7:34 PM: 0000153c_435d6037_00029741 is in use. It will be removed on reboot.
7:34 PM: 00007e87_435d6037_00055764 is in use. It will be removed on reboot.
7:34 PM: drpdvc.exe is in use. It will be removed on reboot.
7:34 PM: 00000029_43599c93_00030d1c is in use. It will be removed on reboot.
7:34 PM: 00004509_435d63ec_0004094c is in use. It will be removed on reboot.
7:34 PM: 000026a6_435d6391_00089b88 is in use. It will be removed on reboot.
7:34 PM: index is in use. It will be removed on reboot.
7:34 PM: 00004db7_435d615f_0004d0ee is in use. It will be removed on reboot.
7:34 PM: dns is in use. It will be removed on reboot.
7:34 PM: 0000701f_435d6394_0001f32e is in use. It will be removed on reboot.
7:34 PM: 00000029_435d5fa9_000dae8c is in use. It will be removed on reboot.
7:34 PM: 00001547_435d6161_000998dc is in use. It will be removed on reboot.
7:34 PM: 0000390c_435d6053_00002661 is in use. It will be removed on reboot.
7:34 PM: 00002cd6_435975e8_000ae798 is in use. It will be removed on reboot.
7:34 PM: 000018be_435d5fab_0005c7a0 is in use. It will be removed on reboot.
7:34 PM: 000072ae_435d5fdd_000ad9f6 is in use. It will be removed on reboot.
7:34 PM: 00006952_435d5fdd_000bc4ac is in use. It will be removed on reboot.
7:34 PM: 00005f90_435d5fe2_000947c8 is in use. It will be removed on reboot.
7:34 PM: 00001649_435d5fe3_0001f7b4 is in use. It will be removed on reboot.
7:34 PM: 00006df1_435d5fe3_00055451 is in use. It will be removed on reboot.
7:34 PM: 000054de_435d61de_0000baf6 is in use. It will be removed on reboot.
7:34 PM: 00005af1_435d5fea_000442be is in use. It will be removed on reboot.
7:34 PM: 000041bb_435d5fea_0005c9ee is in use. It will be removed on reboot.
7:34 PM: 00000f3e_435d606c_000064c4 is in use. It will be removed on reboot.
7:34 PM: ace.dll is in use. It will be removed on reboot.
7:34 PM: 00000099_435d607d_0005f66e is in use. It will be removed on reboot.
7:34 PM: 00000124_435d608e_0000aea9 is in use. It will be removed on reboot.
7:34 PM: dspetres.exe is in use. It will be removed on reboot.
7:34 PM: svcund3d.exe is in use. It will be removed on reboot.
7:34 PM: 00004ae1_435973fc_000c78b6 is in use. It will be removed on reboot.
7:34 PM: 000039b3_435d629f_00045c1c is in use. It will be removed on reboot.
7:34 PM: 000072ae_43597659_000129b8 is in use. It will be removed on reboot.
7:34 PM: 0000074d_435d62e8_00061ddb is in use. It will be removed on reboot.
7:34 PM: 00002d12_435d62e0_000a382e is in use. It will be removed on reboot.
7:34 PM: 00004dc8_435d6304_000e5f4b is in use. It will be removed on reboot.
7:34 PM: 00007a5a_435d63b6_000a0821 is in use. It will be removed on reboot.
7:34 PM: 000066bb_435d631a_0005d709 is in use. It will be removed on reboot.
7:34 PM: 0000428b_435d631d_0001041c is in use. It will be removed on reboot.
7:34 PM: ch7m1394.sys is in use. It will be removed on reboot.
7:34 PM: 00006df1_435976f1_000087a1 is in use. It will be removed on reboot.
7:34 PM: 00004823_43597942_000b6d81 is in use. It will be removed on reboot.
7:34 PM: 000018be_4359794c_0004500e is in use. It will be removed on reboot.
7:34 PM: 00004ae1_43597953_000edb81 is in use. It will be removed on reboot.
7:34 PM: 00002cd6_43597a43_000e52fe is in use. It will be removed on reboot.
7:34 PM: 00004823_43597c89_000ec378 is in use. It will be removed on reboot.
7:34 PM: 000018be_43597c8c_000efb76 is in use. It will be removed on reboot.
7:34 PM: 00004823_43597e99_0000282c is in use. It will be removed on reboot.
7:34 PM: ai_24-10-2005.log is in use. It will be removed on reboot.
7:34 PM: 0000305e_435d615b_000cac9b is in use. It will be removed on reboot.
7:34 PM: 00004823_435d5faa_0008a941 is in use. It will be removed on reboot.
7:34 PM: 0000491c_435d615e_0003b979 is in use. It will be removed on reboot.
7:34 PM: 00004d06_435d615e_000da831 is in use. It will be removed on reboot.
7:34 PM: 00006443_435d6319_000d271c is in use. It will be removed on reboot.
7:34 PM: 00005d03_435d6394_000a5ab6 is in use. It will be removed on reboot.
7:34 PM: ai_21-10-2005.log is in use. It will be removed on reboot.
7:34 PM: 00004823_4359721c_00071ec0 is in use. It will be removed on reboot.
7:34 PM: 000018be_435972f3_00074290 is in use. It will be removed on reboot.
7:34 PM: 00006784_43597303_0006d8f8 is in use. It will be removed on reboot.
7:34 PM: 00006952_43597664_000315e6 is in use. It will be removed on reboot.
7:34 PM: Quarantining All Traces: abetterinternet
7:34 PM: Quarantining All Traces: cws-aboutblank
7:34 PM: Quarantining All Traces: apropos
7:34 PM: apropos is in use. It will be removed on reboot.
7:34 PM: wingenerics.dll is in use. It will be removed on reboot.
7:34 PM: Quarantining All Traces: begin2search
7:34 PM: Quarantining All Traces: desktoptraffic
7:34 PM: Quarantining All Traces: effective-i toolbar
7:34 PM: Quarantining All Traces: icannnews
7:35 PM: icannnews is in use. It will be removed on reboot.
7:35 PM: C:\WINDOWS\system32\n4p40e7qeh.dll is in use. It will be removed on reboot.
7:35 PM: C:\WINDOWS\system32\njtui1.dll is in use. It will be removed on reboot.
7:35 PM: Quarantining All Traces: instant access
7:35 PM: Quarantining All Traces: ist yoursitebar
7:35 PM: Quarantining All Traces: quicklink search toolbar
7:35 PM: Quarantining All Traces: shopathomeselect
7:35 PM: Quarantining All Traces: trojan-downloader-nextern
7:35 PM: Quarantining All Traces: 2o7.net cookie
7:35 PM: Quarantining All Traces: about cookie
7:35 PM: Quarantining All Traces: adbureau cookie
7:35 PM: Quarantining All Traces: addynamix cookie
7:35 PM: Quarantining All Traces: adlegend cookie
7:35 PM: Quarantining All Traces: adrevolver cookie
7:35 PM: Quarantining All Traces: apmebf cookie
7:35 PM: Quarantining All Traces: ask cookie
7:35 PM: Quarantining All Traces: atwola cookie
7:35 PM: Quarantining All Traces: banner cookie
7:35 PM: Quarantining All Traces: belnk cookie
7:35 PM: Quarantining All Traces: belointeractive cookie
7:35 PM: Quarantining All Traces: cardomain cookie
7:35 PM: Quarantining All Traces: cd freaks cookie
7:35 PM: Quarantining All Traces: customer cookie
7:35 PM: Quarantining All Traces: fe.lea.lycos.com cookie
7:35 PM: Quarantining All Traces: go.com cookie
7:35 PM: Quarantining All Traces: hbmediapro cookie
7:35 PM: Quarantining All Traces: howstuffworks cookie
7:35 PM: Quarantining All Traces: ic-live cookie
7:35 PM: Quarantining All Traces: myaffiliateprogram.com cookie
7:35 PM: Quarantining All Traces: nextag cookie
7:35 PM: Quarantining All Traces: overture cookie
7:35 PM: Quarantining All Traces: partypoker cookie
7:35 PM: Quarantining All Traces: pointroll cookie
7:35 PM: Quarantining All Traces: pricegrabber cookie
7:35 PM: Quarantining All Traces: server.iad.liveperson cookie
7:35 PM: Quarantining All Traces: specificclick.com cookie
7:35 PM: Quarantining All Traces: valuead cookie
7:35 PM: Quarantining All Traces: yadro cookie
7:35 PM: Quarantining All Traces: yieldmanager cookie
7:35 PM: Quarantining All Traces: zedo cookie
7:40 PM: Preparing to restart your computer. Please wait...
7:40 PM: Removal process completed. Elapsed time 00:06:58
********
6:43 PM: | Start of Session, Monday, October 24, 2005 |
6:43 PM: Spy Sweeper started
6:44 PM: Your spyware definitions have been updated.
6:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
6:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please do the following:

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close all other opened programs before running this tool

From within the newly created folder, locate & run L2mfix.bat
Select option #2 - Run Fix - by typing 2

Press any key to reboot your computer.
After the reboot, your Desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Save the contents of that log as I shall require you to post it in your next reply after completing the fix.

DO NOT RUN ANY OTHER FILES IN THE L2MFIX FOLDER UNLESS INSTRUCTED

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


You may want to print out the rest of these instructions for reference, since you will have to restart your computer during the fix. Please download hese additional files/programs. Do not run them until instructed to do so.

AproposFix.exe - do NOT run it yet.

CleanUp.exe - Install.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Once in Safe Mode, double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, it will create a log, log.txt file in the aproposfix folder.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
    [*] Online Scan
    [*] L2Mfix's log
    [*] Apropos Fix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #5 ·
I did all that you requested. The only issue I encountered was that the initial LM2fix scan showed errors so I downloaded the files that you linked to and when I scanned again, I again got some errors. You will see these in the log file. I am assuming that these are normal errors. Please inform me if I am correct or not.

Let me say again, Thanks for the help. I haven't had the annoying popups but the online scan has showed some more issues. Anyway, here are the logs. I am standing by to perform some more repairs....


Logfile of HijackThis v1.99.1
Scan saved at 9:04:48 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Timex\Timex Trainer\TBEggLaunch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/23703?lswe=23703&lwsa=WeatherLocalUndeclared
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/23703?lswe=23703&lwsa=WeatherLocalUndeclared
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Timex Trainer Launcher.lnk = C:\Program Files\Timex\Timex Trainer\TBEggLaunch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098016149738
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe


Active Scan

Incident Status Location

Adware:adware/ilookup No disinfected C:\WINDOWS\SYSTEM32\hotbod123121.ico
Adware:adware/beginto No disinfected C:\WINDOWS\SYSTEM32\cache32_dsktptr
Adware:Adware/Look2Me No disinfected C:\backup.zip[f00olad31d0.dll]

L2MFix

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1976 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 2044 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: clear.reg (188 bytes security) (deflated 2%)
updating: lo2.txt (188 bytes security) (deflated 49%)
updating: test.txt (188 bytes security) (stored 0%)
updating: test2.txt (188 bytes security) (stored 0%)
updating: test3.txt (188 bytes security) (stored 0%)
updating: test5.txt (188 bytes security) (stored 0%)
adding: log.txt (188 bytes security) (deflated 75%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************






Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Fred\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CzPQsAxEhfFD]
@="pH36uFJOPPOPPQP2zAUxyfWOPPOeRPykpfqyuPGMGH2AVUP1F6J2FGP05ZATVbWQGMG"
"Device"="\\\\.\\eXm2VWD4"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\ch7m1394.sys"
"DriverName"="NtfiSrv"
"HideUninstallerName"="C:\\Program Files\\Alcpalm\\dspetres.exe"
"HDll"="C:\\WINDOWS\\system32\\wdimpapi.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{X2a25c27-9ea7-635d-b86e-26620c472542}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Alcpalm\\drpdvc.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\svcund3d.exe"
"Version"="2.0.106"


************

Removing hidden service:
Service NtfiSrv removed.

Removing hidden folder:
Deletion of folder Alcpalm succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\ch7m1394.sys succeeded!
Deletion of file C:\WINDOWS\system32\svcund3d.exe succeeded!
Deletion of file C:\WINDOWS\system32\wdimpapi.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CzPQsAxEhfFD]
[-HKEY_LOCAL_MACHINE\Software\CzPQsAxEhfFD]

Done!

Finished!
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
We're almost done.

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\WINDOWS\SYSTEM32\hotbod123121.ico
    C:\WINDOWS\SYSTEM32\cache32_dsktptr

Assuming that you didnt have any problems with the file deletions, you should be clean.

Please follow these simple steps in order to keep your computer clean and secure:


  1. CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  6. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.


Please respond to this thread one more time so we can mark this thread as resolved.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top