Tech Support banner

Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
Okay then, been battling with these pop-ups for about the last 6 days and I ain't had any success, so I figured I'd talk to you guys. I've read a couple of other threads on gettin' rid of the pop-ups mentioned in the title of the thread, but they didn't work for me. So I was hoping that you could figure out what is specifically wrong with my comp, so that I can stop freekin' out about my internet.

I'm running:

. Internet Explorer
. AMD Athlon 1700+
. Windows XP SP2
. And...that's about it...I think...

Oh yeah, and on top of the 'Searc-h, Ad-w-a-r-e, Discount-Nation etc.' pop-ups, these little Flash pop-ups keep apearing and doing these annoying little animations about how 'My Computer May Be Infected With AdWare' - and i'm like...what the hell!?

So if anyone knows what be going on here, t'would be much appreciated - and here's the log:


Logfile of HijackThis v1.99.1
Scan saved at 13:31:32, on 24/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\dumprep.exe
C:\Documents and Settings\Owner\Desktop\Ben's Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A2309FC-AE44-45AA-BC0B-62399F29C023}: NameServer = 212.67.120.148 212.67.96.129
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\mv86l9ls1.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Cheers dudesters :dead:
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #3 ·
Here be the SpySweeper log:

********
18:37: | Start of Session, 24 October 2005 |
18:37: Spy Sweeper started
18:37: Sweep initiated using definitions version 560
18:37: Starting Memory Sweep
18:37: Found Adware: icannnews
18:37: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
18:37: Detected running threat: C:\WINDOWS\system32\k6620gjoe6oc0.dll (ID = 83)
18:38: Detected running threat: C:\WINDOWS\system32\oofox32.dll (ID = 83)
18:38: Memory Sweep Complete, Elapsed Time: 00:01:38
18:38: Starting Registry Sweep
18:38: Found Adware: whenu
18:38: HKLM\software\microsoft\windows\currentversion\uninstall\whenusavemsg\ (7 subtraces) (ID = 140451)
18:38: Found Adware: whenu savenow
18:38: HKCR\wusn.1\ (1 subtraces) (ID = 140463)
18:39: HKCR\wusn.1\ (1 subtraces) (ID = 635412)
18:39: HKLM\software\whenusave\ (45 subtraces) (ID = 635463)
18:39: HKLM\software\classes\wusn.1\ (1 subtraces) (ID = 635554)
18:39: Found Adware: bookedspace
18:39: HKLM\software\microsoft\windows\currentversion\internet settings\zonemap\domains\net-nucleus.com\ (1 subtraces) (ID = 662284)
18:39: Found Adware: whenu save
18:39: HKCR\acm.acmfactory\ (5 subtraces) (ID = 773927)
18:39: HKCR\acm.acmfactory.1\ (3 subtraces) (ID = 773933)
18:39: HKCR\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773937)
18:39: HKCR\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773950)
18:39: HKCR\appid\acm.dll\ (1 subtraces) (ID = 773960)
18:39: HKLM\software\classes\acm.acmfactory\ (5 subtraces) (ID = 773964)
18:39: HKLM\software\classes\acm.acmfactory.1\ (3 subtraces) (ID = 773970)
18:39: HKLM\software\classes\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773976)
18:39: HKLM\software\classes\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773979)
18:39: HKLM\software\classes\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773992)
18:39: HKU\S-1-5-21-1229272821-1177238915-1801674531-1003\software\microsoft\windows\currentversion\run\ || whenusave (ID = 773978)
18:39: Registry Sweep Complete, Elapsed Time:00:00:25
18:39: Starting Cookie Sweep
18:39: Found Spy Cookie: yieldmanager cookie
18:39: [email protected][1].txt (ID = 3751)
18:39: Found Spy Cookie: azjmp cookie
18:39: [email protected][2].txt (ID = 2270)
18:39: Found Spy Cookie: starware.com cookie
18:39: [email protected][1].txt (ID = 3442)
18:39: [email protected][1].txt (ID = 3442)
18:39: Cookie Sweep Complete, Elapsed Time: 00:00:00
18:39: Starting File Sweep
18:39: c:\program files\save (6 subtraces) (ID = -2147480378)
18:39: c:\documents and settings\owner\start menu\programs\whenu (3 subtraces) (ID = -2147480383)
18:41: Found Adware: sp2ms
18:41: drsmartload.exe (ID = 178567)
18:42: Found Adware: apropos
18:42: wingenerics.dll (ID = 50187)
18:43: saveinstwm.exe (ID = 74391)
18:43: vvsninst.exe (ID = 74460)
18:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:50: Found Adware: cws_ns3
18:50: evuwz.log (ID = 56717)
18:50: Found Adware: weirdontheweb
18:50: weirdontheweb_topc.exe (ID = 87898)
18:50: Found Adware: directrevenue-abetterinternet
18:50: thin-114-1-x-x.exe (ID = 83548)
18:50: Found Adware: windows afa internet enhancement
18:50: qbuninstaller.exe (ID = 90525)
18:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:52: Found Adware: azsearch toolbar
18:52: azesearch4.ocx (ID = 50337)
18:52: Found Adware: shopathomeselect
18:52: dv77cs2t.dat (ID = 121494)
18:52: thin-138-1-x-x.exe (ID = 83554)
18:52: Found Trojan Horse: trojan-downloader-mainstreamdollars
18:52: ventura-hot_246765.exe (ID = 107491)
18:52: Found Trojan Horse: trojan-downloader-traf34
18:52: gsm3-0511.exe (ID = 81005)
18:52: Found Trojan Horse: trojan downloader matcash
18:52: mc-110-12-0000079.exe (ID = 114247)
18:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:54: Found Adware: ist istbar
18:54: shortcuts.txt (ID = 64711)
18:54: Found Adware: look2me
18:54: ds4.dll (ID = 65771)
18:54: Found Adware: ez-finder toolbar
18:54: webdlg32.inf (ID = 60327)
18:54: webdlg32.inf (ID = 60327)
18:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:55: mc-110-12-0000079.exe (ID = 114256)
18:55: Found Adware: maxifiles
18:55: services32.exe (ID = 114260)
18:55: autoit3.exe (ID = 119348)
18:55: mc-110-12-0000079.exe (ID = 114256)
18:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
18:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:02: Found Adware: screensavers
19:02: swpstart.exe (ID = 74759)
19:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:02: Found Adware: blazefind_adstat
19:02: adstatcomm.dll (ID = 51558)
19:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:02: Found Adware: 180search assistant/zango
19:02: npzango.dll (ID = 91103)
19:02: wingenerics.dll (ID = 50187)
19:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:03: 180sainstaller.exe (ID = 70450)
19:04: Found Adware: surf accuracy
19:04: uninstall.exe (ID = 131729)
19:04: res12.tmp (ID = 93786)
19:04: Warning: Failed to open file "d:\documents and settings\ms user\local settings\temp\temporary internet files\content.ie5\ml8v0f8v\x1pbglk-vql4btnulwnjomzvtlyaagha8w1qdfstcqhxerrwh6qpxn5s9uzmathf-klvnghxx8l6skllnfei4ghj9ence1x_mvx6r-doya_ugicyae7vntradqviu7wgcg6zxegicfcttb9g3nedbbssa[1].bin". The system cannot find the path specified
19:04: Warning: Failed to open file "d:\documents and settings\ms user\local settings\temp\temporary internet files\content.ie5\gtofmd0z\x1pbglk-vql4btnulwnjomzvtlyaagha8w1qdfstcqhxepcncydhf1oy8dkaord7nky-7sntfewb_al_rej_dzdplnyejzkslacuezvnxhfvwrdorvad4hh6ubiw7wurtaznoofajxalhy7kjl4pidgfa[1].bin". The system cannot find the path specified
19:04: Warning: Failed to open file "d:\documents and settings\ms user\local settings\temp\temporary internet files\content.ie5\u5uvmvet\x1pbglk-vql4btnulwnjomzvtlyaagha8w1qdfstcqhxeqn6otj-6tszckxqxiqgrh56fndzxmlagbl2zsyrvrho1_co6iaco_2qach_ib9hnsb7ajezq-rngv1oukblgtz8wcbj5gvrpapl_8je7o2dg[1].bin". The system cannot find the path specified
19:04: Warning: Failed to open file "d:\documents and settings\ms user\local settings\temp\temporary internet files\content.ie5\u5uvmvet\x1pbglk-vql4btnulwnjomzvtlyaagha8w1qdfstcqhxerkgfqh_ywphjnmqqfjszk4n83ogywrvi86klu3mzjbhsfqnvur4hppbowsv1r8c6up2bg29x6euzudxx_lapjcna5dy_ihufgs-871eeyaug[1].bin". The system cannot find the path specified
19:04: Warning: Failed to open file "d:\documents and settings\ms user\local settings\temp\temporary internet files\content.ie5\yp4zyzur\x1pbglk-vql4btnulwnjomzvtlyaagha8w1qdfstcqhxer--p1roq_pa6zkxvsa8mel_zlc9f-zx2ekcjkjnn5l7jk3tmqvzm3enwcmpnthclhvxqko07evzwa64-wyc34762o-04mtebfvdo7mnqgw6q[1].bin". The system cannot find the path specified
19:04: Warning: Failed to open file "d:\documents and settings\ms user\local settings\temp\temporary internet files\content.ie5\yp4zyzur\x1pbglk-vql4btnulwnjomzvtlyaagha8w1qdfstcqhxer1w5g1m48hw9q4krpa7dbdo_fxvmqcnyfm2h9d5izsgejawkyxuvcwnlh6meplglkivgnhw4najhxjyavrztc8qjbibad9jdti6b0wxsb87a[1].bin". The system cannot find the path specified
19:04: 180sainstallersilsais1.exe (ID = 107349)
19:04: res158.tmp (ID = 107353)
19:04: Found Adware: virtualbouncer
19:04: wrapperouter.exe (ID = 82854)
19:04: Found Adware: cas
19:04: cassetup.exe (ID = 133272)
19:04: Found Adware: winad
19:04: mediaaccessinstpack.exe (ID = 90394)
19:04: 180sainstallersca.exe (ID = 146418)
19:04: res205.tmp (ID = 146419)
19:04: weirdontheweb.url (ID = 87896)
19:04: Found Adware: surfsidekick
19:04: sskknwrd.dll (ID = 77733)
19:04: sskcwrd.dll (ID = 77712)
19:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:05: backup-20041204-203909-173.inf (ID = 64605)
19:05: backup-20041202-115148-841.inf (ID = 64605)
19:05: Found Adware: ist yoursitebar
19:05: backup-20041202-115148-315.inf (ID = 91034)
19:05: backup-20041202-000323-199.inf (ID = 91034)
19:05: backup-20041201-173525-819.inf (ID = 64605)
19:05: backup-20041129-193147-133.dll (ID = 74752)
19:05: backup-20041129-193147-133.inf (ID = 74756)
19:05: Found Adware: instant access
19:05: backup-20041204-163952-911.inf (ID = 63698)
19:05: Found System Monitor: potentially rootkit-masked files
19:05: sbeswmdm.exe (ID = 0)
19:05: arptetab.exe (ID = 0)
19:05: ace.dll (ID = 0)
19:05: data.bin (ID = 0)
19:05: ctoafs2k.sys (ID = 0)
19:05: w3scscui.exe (ID = 0)
19:05: ai_20-10-2005.log (ID = 0)
19:05: ai_21-10-2005.log (ID = 0)
19:05: ai_22-10-2005.log (ID = 0)
19:05: ai_23-10-2005.log (ID = 0)
19:05: ai_24-10-2005.log (ID = 0)
19:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
19:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com

######

And I will post the HJT log in a short while...I have my reasons...
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #4 ·
HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 19:31:50, on 24/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Ben's Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

P2P - I see you have P2P software (i.e.Bearshare) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is likely contributing to your current situation. This page will give you further information. I recommend you remove it.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Command Service (cmdService)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

BearShare

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)


Locate the following Files/Folders (delete folders if no filename is specified) and delete them if they exist:

C:\Program Files\BearShare
C:\WINDOWS\T3duZXIA


Restart in normal mode now.


Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Restart and run a new HijackThis scan. Save the log file and post it here, along with the L2Mfix log and results from the Panda ActiveScan
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #6 ·
HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:18, on 25/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Documents and Settings\Owner\Desktop\Ben's Folder\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A2309FC-AE44-45AA-BC0B-62399F29C023}: NameServer = 212.67.120.148 212.67.96.129
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Panda Scan Log:

Incident Status Location

Adware:adware/savenow No disinfected C:\PROGRAM FILES\Save
Adware:Adware/Look2Me No disinfected C:\backup.zip[irnul5591.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[l80ulid9180.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[l88m0il1e8q.dll]
Adware:Adware/Look2Me No disinfected C:\backup.zip[wlcdlg.dll]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Amara products.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Battlefield 2.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Borland JBuilder 2006 Enterprise.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Celtic Kings The Punic Wars.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Cinderella Man.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Creature Creator 1.6 standalone.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Dead Meat.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\DFX Sound Enhanchment.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Double Cross.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Exceed PowerSuite.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Fever Pitch.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Green Street Hooligans.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Gwen Stefani - Love, Angel, Music, Bab.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Kingdia DVD Audo Ripper 1.6.5.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Kingdia DVD Ripper Professional 2.4.6.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\LEC Power Translator Pro 9.0.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\LimeWire Pro 4.9.28.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Longhorn SideBar 5.0 for WInXp.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Madagascar.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\McFunSoft Products.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Mercury Interactive LoadRunner 8.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Mr. and Mrs. Smith.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\NetSpeeder.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Norton Anti-Virus 2005.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Norton AntiSpam 2004.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Norton Ghost 9.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Norton internet security.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Norton PartitionMagic 8.05.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Norton Personal Firewall 2005.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Norton Systemworks 2005.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\QuickBooks Premier 2005.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\RestoreIT 6.0.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Rollercoaster World 2.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Sopranos Complete Season 5 DVD Quality.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Swap Magic 3 Playstation 2.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\The Descent.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\The Longest Yard.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\The Perfect Man.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\The sims 2 Nightlife.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\The Terminal.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\The Typing Of The Dead.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\VSO DivXToDVD 1.99.16.45.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\Windows 98 Revolutions Pack 3.6.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\WWW2Image 1.2.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\Owner\Complete\xXx 2 State of the Union.zip[Setup.exe]
Adware:Adware/IPBill No disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Downloads\Battle Anims\loader.exe
Virus:Trj/Downloader.YD Disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\Adobe_Photoshop_CS_v8[1].0_and_Adobe_ImageReady_CS_v8.0.zip[iwj.exe]
Adware:Adware/Trymedia No disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\CueClub.exe
Virus:Bck/Mosucker.Q Disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\EmailHacker.zip[EmailHacker.exe]
Hacktool:Flooder Program No disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\email_spammer_3.0.zip[Email Spammer 3.0.0.2.exe]
Hacktool:HackTool/EvID4226 No disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\EvID4226Patch212-en.zip[EvID4226Patch.exe]
Adware:Adware/Trymedia No disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\GutterballSetup.exe
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\hhl_3.5.zip[Setup (dont open!).exe]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\hhl_3.5.zip[HHL.exe]
Virus:Trj/MsnFake.C Disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msnhks1\Server\Msngr72win.exe
Virus:Trj/MsnFake.D Disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msnhks1.zip[msnmsgrhk.exe]
Virus:Trj/MsnFake.C Disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msnhks1.zip[Msn Echo.exe]
Virus:Trojan Horse Disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\pass_stealer.zip[Pass Stealer.exe]
Adware:Adware/BrilliantDigitalNo disinfected C:\Documents and Settings\Owner\Desktop\Ben's Folder\Programs\KaZaA\bdcore.dll
Adware:Adware/Zeno No disinfected C:\WINDOWS\system32\cxdxregt.exe
Possible Virus. No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3QL684YB\nat3[1].exe
Possible Virus. No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\JXLXYHKA\nat2[1].exe
Adware:Adware/Zeno No disinfected C:\zxinst_ms001.#xe
Spyware:Spyware/BetterInet No disinfected D:\FOUND.001\FILE0012.CHK
Spyware:Spyware/BetterInet No disinfected D:\WINDOWS\SYSTEM\QBUninstaller.exe
Virus:Trj/Qhost.gen Disinfected D:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS.BAK
Adware:Adware/Look2Me No disinfected D:\WINDOWS\SYSTEM32\ffInst.exe
Virus:W32/Gaobot.gen.worm Disinfected D:\WINDOWS\SYSTEM32\file.exe
Virus:W32/Gaobot.gen.worm Disinfected D:\WINDOWS\SYSTEM32\wincfg32.exe
Virus:W32/Gaobot.gen.worm Disinfected D:\WINDOWS\SYSTEM32\wuauclt.exe.tmp
Adware:Adware/AzeSearch No disinfected D:\WINDOWS\SYSTEM32\azesearch4.ocx
Adware:Adware/Maxifiles No disinfected D:\WINDOWS\SYSTEM32\mc-110-12-0000079.exe
Virus:Trj/Modwinet.A Disinfected D:\WINDOWS\wintcpmod.exe
Adware:Adware/SBSoft No disinfected D:\WINDOWS\Downloaded Program Files\CONFLICT.1\webdlg32.inf
Dialer:Dialer.CBZ No disinfected D:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnFR1824.exe
Dialer:Dialer.Gen No disinfected D:\WINDOWS\Downloaded Program Files\1014061.exe
Adware:Adware/SBSoft No disinfected D:\WINDOWS\Downloaded Program Files\CONFLICT.2\webdlg32.inf
Dialer:Dialer.CBZ No disinfected D:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnFR1824.exe
Dialer:Dialer.CBZ No disinfected D:\WINDOWS\Downloaded Program Files\gdnFR1824.exe
Adware:Adware/IST.ISTBar No disinfected D:\WINDOWS\YWRSTmp3toolbar.exe
Adware:Adware/IST.ISTBar No disinfected D:\WINDOWS\Hmp3toolbar.exe
Adware:Adware/Weirdontheweb No disinfected D:\WINDOWS\weirdontheweb_topc.exe
Spyware:Spyware/BetterInet No disinfected D:\WINDOWS\thin-114-1-x-x.exe
Adware:Adware/Maxifiles No disinfected D:\Program Files\Common Files\InetGet\mc-110-12-0000079.exe
Adware:Adware/Maxifiles No disinfected D:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
Virus:Trojan Horse Disinfected D:\Program Files\MSN Messenger\msnsnatcher.exe
Adware:Adware/WUpd No disinfected D:\Program Files\AdStatus Service\AdStatComm.dll
Dialer:Dialer.Gen No disinfected D:\holi523599.exe
Adware:Adware/IST.ISTBar No disinfected D:\My Downloads\MP3 Toolbar 1.5 [Download Mp3's From Your Browser] Faster Than BearShare Pro, LimeWire Pro and Morpheus Ultra (BRAND NEW).exe
Adware:Adware/SurfAccuracy No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\uninstall.exe
Dialer:Dialer.BGL No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\ICD8.tmp\games.inf
Virus:W32/Gaobot.gen.worm Disinfected D:\Documents and Settings\MS User\Local Settings\Temp\wmsfxpzyji.exe
Virus:W32/Gaobot.gen.worm Disinfected D:\Documents and Settings\MS User\Local Settings\Temp\ygzdolettjt.exe
Virus:W32/Gaobot.gen.worm Disinfected D:\Documents and Settings\MS User\Local Settings\Temp\edxsemdwhx.exe
Spyware:Spyware/SurfSideKick No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\iC.tmp
Dialer:Dialer.BGL No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\ICD18.tmp\games.inf
Adware:Adware/nCase No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\180sainstaller.exe
Adware:Adware/nCase No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\res12.tmp
Adware:Adware/nCase No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\180sainstallersilsais1.exe
Adware:Adware/nCase No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\res158.tmp
Dialer:Dialer.BGL No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\ICD22.tmp\games.inf
Adware:Adware/VirtualBouncer No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\wrapperouter.exe
Spyware:Spyware/SurfSideKick No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\i1E7.tmp
Adware:Adware/WinAD No disinfected D:\Documents and Settings\MS User\Local Settings\Temp\MediaAccessInstPack.exe
Adware:Adware/IPBill No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004142.exe
Adware:Adware/BrilliantDigitalNo disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004327.dll
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004439.inf
Adware:Adware/WinAD No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004441.dll
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004443.inf
Adware:Adware/IST.YourSiteBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004445.inf
Adware:Adware Program No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004447.inf
Adware:Adware/IST.YourSiteBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004449.inf
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004452.inf
Adware:Adware/WinAD No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004453.dll
Dialer:Dialer.B No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004459.dll
Adware:Adware Program No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004460.inf
Adware:Adware/Exact.BargainBuddyNo disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004470.dll
Adware:Adware/WUpd No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004484.dll
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004486.inf
Adware:Adware/IST.YourSiteBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004488.inf
Adware:Adware/Apropos No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004499.dll
Adware:Adware/SBSoft No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004505.dll
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004506.inf
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004508.inf
Adware:Adware/IST.YourSiteBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004514.inf
Adware:Adware/IST.SideFind No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004516.dll
Dialer:Dialer.OK No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004518.inf
Adware:Adware/AzeSearch No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004524.dll
Adware:Adware Program No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004525.inf
Adware:Adware/AzeSearch No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004526.dll
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004527.inf
Adware:Adware/IST.YourSiteBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004529.inf
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004531.inf
Adware:Adware/IST.YourSiteBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004534.inf
Dialer:Dialer.OK No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004539.inf
Dialer:Dialer.OK No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004543.inf
Dialer:Dialer.OK No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004547.inf
Adware:Adware/IST.YourSiteBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004551.inf
Adware:Adware/AzeSearch No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004555.inf
Adware:Adware/Apropos No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004556.dll
Adware:Adware/Apropos No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004557.dll
Adware:Adware/Apropos No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004558.dll
Adware:Adware/IST.SideFind No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004560.dll
Dialer:Dialer.OK No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004563.inf
Adware:Adware/WUpd No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004565.dll
Dialer:Dialer.OK No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004571.inf
Adware:Adware/Apropos No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004574.dll
Dialer:Dialer.OK No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004576.inf
Dialer:Dialer.OK No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004590.inf
Adware:Adware/IST.SideFind No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004599.dll
Adware:Adware/Exact.BargainBuddyNo disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004602.dll
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004608.dll
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004609.dll
Adware:Adware/IST.ISTBar No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004615.dll
Adware:Adware/Novo No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004618.dll
Adware:Adware/Exact.BargainBuddyNo disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004619.dll
Adware:Adware/IST.SideFind No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004622.dll
Adware:Adware/nCase No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004628.dll
Dialer:Dialer.BKJ No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004631.inf
Adware:Adware/Exact.BargainBuddyNo disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004633.dll
Adware:Adware/IST.SideFind No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004636.dll
Adware:Adware/nCase No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004638.dll
Adware:Adware/BigTrafficNet No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004643.dll
Adware:Adware/Trymedia No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004769.exe
Adware:Adware/Trymedia No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004770.exe
Virus:Trj/MsnFake.C Disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004838.exe
Hacktool:HackTool Program.VA No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP27\A0004843.exe
Adware:Adware/TopRebates No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP71\A0013562.exe
Adware:Adware/SaveNow No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP71\A0013565.exe
Adware:Adware/ClockSync No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP71\A0013576.exe
Adware:Adware/KeenValue No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP71\A0013577.exe
Adware:Adware/DownloadWare No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP71\A0013579.EXE
Adware:Adware Program No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP71\A0013587.inf
Adware:Adware Program No disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP71\A0013588.inf
Adware:Adware/Exact.BargainBuddyNo disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP71\A0013589.dll
Virus:W32/Gaobot.gen.worm Disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP72\A0014820.exe
Virus:W32/Gaobot.gen.worm Disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP72\A0014821.exe
Virus:Trj/Modwinet.A Disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP72\A0014822.exe
Virus:Trojan Horse Disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP72\A0014823.exe
Virus:W32/Gaobot.gen.worm Disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP72\A0014824.exe
Virus:W32/Gaobot.gen.worm Disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP72\A0014825.exe
Virus:W32/Gaobot.gen.worm Disinfected D:\System Volume Information\_restore{890698F4-53E1-4FB6-AF51-E8B188ECE60B}\RP72\A0014826.exe
Adware:Adware/IPBill No disinfected D:\backup\Ben's Folder\Downloads\Battle Anims\loader.exe
Adware:Adware/BrilliantDigitalNo disinfected D:\backup\Ben's Folder\Programs\KaZaA\bdcore.dll
Adware:Adware/IST.ISTBar No disinfected D:\backup\Ben's Folder\backups\backup-20041204-203909-173.inf
Adware:Adware/IST.ISTBar No disinfected D:\backup\Ben's Folder\backups\backup-20041202-115148-841.inf
Adware:Adware/IST.YourSiteBar No disinfected D:\backup\Ben's Folder\backups\backup-20041202-115148-315.inf
Adware:Adware/IST.YourSiteBar No disinfected D:\backup\Ben's Folder\backups\backup-20041202-000323-199.inf
Adware:Adware/IST.ISTBar No disinfected D:\backup\Ben's Folder\backups\backup-20041201-173525-819.inf
Dialer:Dialer.B No disinfected D:\backup\Ben's Folder\backups\backup-20041204-163952-911.dll
Hacktool:HackTool Program.VA No disinfected D:\backup\Ben's Folder\Lyrics\hakers\hackersutil.htm\Hu.exe



L2M Log:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1164 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1448 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\irnul5591.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l80ulid9180.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l88m0il1e8q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlcdlg.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\irnul5591.dll
Successfully Deleted: C:\WINDOWS\system32\irnul5591.dll
deleting: C:\WINDOWS\system32\l80ulid9180.dll
Successfully Deleted: C:\WINDOWS\system32\l80ulid9180.dll
deleting: C:\WINDOWS\system32\l88m0il1e8q.dll
Successfully Deleted: C:\WINDOWS\system32\l88m0il1e8q.dll
deleting: C:\WINDOWS\system32\wlcdlg.dll
Successfully Deleted: C:\WINDOWS\system32\wlcdlg.dll


Zipping up files for submission:
adding: irnul5591.dll (188 bytes security) (deflated 5%)
adding: l80ulid9180.dll (188 bytes security) (deflated 5%)
adding: l88m0il1e8q.dll (188 bytes security) (deflated 5%)
adding: wlcdlg.dll (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 52%)
adding: lo2.txt (188 bytes security) (deflated 69%)
adding: test.txt (188 bytes security) (deflated 55%)
adding: test2.txt (188 bytes security) (deflated 34%)
adding: test3.txt (188 bytes security) (deflated 34%)
adding: test5.txt (188 bytes security) (deflated 34%)
adding: xfind.txt (188 bytes security) (deflated 50%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: irnul5591.dll
deleting local copy: l80ulid9180.dll
deleting local copy: l88m0il1e8q.dll
deleting local copy: wlcdlg.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\irnul5591.dll
C:\WINDOWS\system32\l80ulid9180.dll
C:\WINDOWS\system32\l88m0il1e8q.dll
C:\WINDOWS\system32\wlcdlg.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{4CA152D5-7D49-473C-9977-D593CA156FD9}"=-
"{98D57F2B-6E19-4368-ACAA-716F6B5F1335}"=-
"{449DB289-7205-44DC-962D-4D6A8078726C}"=-
"{2618F722-0616-4A51-B0F5-896A2EE959CE}"=-
[-HKEY_CLASSES_ROOT\CLSID\{4CA152D5-7D49-473C-9977-D593CA156FD9}]
[-HKEY_CLASSES_ROOT\CLSID\{98D57F2B-6E19-4368-ACAA-716F6B5F1335}]
[-HKEY_CLASSES_ROOT\CLSID\{449DB289-7205-44DC-962D-4D6A8078726C}]
[-HKEY_CLASSES_ROOT\CLSID\{2618F722-0616-4A51-B0F5-896A2EE959CE}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************




This message is wayyyy too long, I hope its what you were wanting - cheers
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
The message is long, because you've been severly infected.

Are you editing your HJT log? That seems very light for an XP system, and many of the things which panda found should have shown up in HJT.

CLEAR & RESET SYSTEM RESTORE'S CACHE
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Reboot into safe mode.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Restart in normal mode.

Perform an online scan with Internet Explorer with

Kaspersky Online Scanner

Next Click on Launch Kaspersky Online Scanner[

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Choose Save, NOT run, and save to your desktop
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


Please return with results from:

Ewido
Kaspersky
Antispyware.log
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #8 ·
Trend Micro Log:

Summary of Privacy Threats:
No Spyware found.


Kapersky Log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, October 26, 2005 23:15:13
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/10/2005
Kaspersky Anti-Virus database records: 146949
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 227045
Number of viruses found: 16
Number of infected objects: 42
Number of suspicious objects: 0
Duration of the scan process: 9553 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\Adobe_Photoshop_CS_v8.0_Fixed.zip Infected: Trojan-Downloader.JS.IstBar.y
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\email_spammer_3.0.zip/Email Spammer 3.0/Email Spammer 3.0.0.2.exe Infected: Email-Flooder.Win32.VB.f
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\email_spammer_3.0.zip Infected: Email-Flooder.Win32.VB.f
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\mbhttpbf.exe/data0001 Infected: Backdoor.Win32.DSSdoor.b
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\mbhttpbf.exe/data0003 Infected: HackTool.Win32.VB.ao
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\mbhttpbf.exe Infected: HackTool.Win32.VB.ao
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msn_winks.rar/a221.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msn_winks.rar/a1.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msn_winks.rar/a2.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msn_winks.rar/a3.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msn_winks.rar/a4.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msn_winks.rar/a21.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\msn_winks.rar Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\Ricochet.Lost.Worlds.v1.0.13.Incl.Keygen-DiSTiNCT.ZIP Infected: Trojan-Downloader.JS.IstBar.y
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\yeah.zip/msn_winks.rar/a221.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\yeah.zip/msn_winks.rar/a1.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\yeah.zip/msn_winks.rar/a2.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\yeah.zip/msn_winks.rar/a3.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\yeah.zip/msn_winks.rar/a4.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\yeah.zip/msn_winks.rar/a21.hta Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\yeah.zip/msn_winks.rar Infected: Exploit.HTML.DragDrop
C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics\yeah.zip Infected: Exploit.HTML.DragDrop
C:\Program Files\XoftSpy\Quarantine\Quarantine20-10-2005-20-51-11.xpy/Setup.exe Infected: Worm.Win32.VB.an
C:\Program Files\XoftSpy\Quarantine\Quarantine20-10-2005-20-51-11.xpy Infected: Worm.Win32.VB.an
C:\WINDOWS\system32\ciatopen.dll Infected: Trojan.Win32.Crypt.t
D:\WINDOWS\SYSTEM32\remove_me.dll Infected: Trojan.Win32.StartPage.ld
D:\WINDOWS\SYSTEM32\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
D:\WINDOWS\SYSTEM32\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
D:\WINDOWS\SYSTEM32\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
D:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnFR1824.exe Infected: Trojan.Win32.Dialer.ht
D:\WINDOWS\Downloaded Program Files\1014061.exe Infected: Trojan.Win32.Dialer.q
D:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnFR1824.exe Infected: Trojan.Win32.Dialer.ht
D:\WINDOWS\Downloaded Program Files\gdnFR1824.exe Infected: Trojan.Win32.Dialer.ht
D:\WINDOWS\YWRSTmp3toolbar.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
D:\WINDOWS\YWRSTmp3toolbar.exe Infected: Trojan-Downloader.Win32.INService.ja
D:\WINDOWS\Hmp3toolbar.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
D:\WINDOWS\Hmp3toolbar.exe Infected: Trojan-Downloader.Win32.INService.ja
D:\My Downloads\MP3 Toolbar 1.5 [Download Mp3's From Your Browser] Faster Than BearShare Pro, LimeWire Pro and Morpheus Ultra (BRAND NEW).exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
D:\My Downloads\MP3 Toolbar 1.5 [Download Mp3's From Your Browser] Faster Than BearShare Pro, LimeWire Pro and Morpheus Ultra (BRAND NEW).exe Infected: Trojan-Downloader.Win32.INService.ja
D:\Documents and Settings\MS User\My Documents\My Received Files\Hacking - Msn Hacker.exe Infected: not-virus:Hoax.DOS.MailGex
D:\backup\Ben's Folder\backups\backup-20041204-163952-911.dll Infected: Trojan.Win32.P2E.bc
D:\backup\Ben's Folder\Lyrics\hakers\hackersutil.htm\Hu.exe Infected: HackTool.Win32.HackersUtility.a

Scan process completed.


Ewido Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:58:33, 26/10/2005
+ Report-Checksum: F1030187

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned without backup
HKLM\SOFTWARE\Classes\RunMSC.Loader\CLSID\\ -> Spyware.SaveNow : Cleaned without backup
HKLM\SOFTWARE\Classes\RunMSC.Loader.1\CLSID\\ -> Spyware.SaveNow : Cleaned without backup
C:\WINDOWS\system32\cxdxregt.exe -> Spyware.ZenoSearch : Cleaned without backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent : Cleaned without backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent : Cleaned without backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned without backup


::Report End



Cheers, duder
Sorry 'bout the late reply
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

C:\Documents and Settings\Owner\Desktop\Ben's Folder\Lyrics <--delete this folder IF you didn't create it. It's FULL of virus's and adware programs. If you did create it and want to keep it......delete very file listed in the KASPERSKY scan log.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\system32\ciatopen.dll
D:\WINDOWS\SYSTEM32\remove_me.dll
D:\WINDOWS\SYSTEM32\GSM3-0511.exe
D:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnFR1824.exe
D:\WINDOWS\Downloaded Program Files\1014061.exe
D:\WINDOWS\Downloaded Program Files\CONFLICT.2\
D:\WINDOWS\YWRSTmp3toolbar.exe
D:\WINDOWS\Hmp3toolbar.exe
C:\WINDOWS\wt


Once you reboot...run another KASPERSKY scan and post it's log.
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top