MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Spyware and Pop Ups Issues -- Hijack Log
December 05, 2019, 06:48:19 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
December 05, 2019, 06:48:19 PM

Login with username, password and session length
 Featured Sites:
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Spyware and Pop Ups Issues -- Hijack Log  (Read 1744 times)
shonbacon
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 15


Bookmark and Share

View Profile
« on: October 29, 2005, 02:39:54 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:  Windows XP SP2 (WinNT 5.01.2600)
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:



Spyware got onto my computer a few days ago and made it impossible for me to use my explorer.exe.  I could log onto the computer, but the explorer/desktop would freeze.  A friend of mine used dos and the taskmanager to clean up SOME things, and today, by using SEVERAL programs, such as Trend Micro House Call, Ad Aware, Spybot, and Hijack This, I was able to get it to where I could use the explorer, but now I have a-d-w-a-r-e.com/ad-a-w-a-r-e.com and searc-h.com pop ups and ads all over the place.  I'm not sure how to fix this.

I read the file, Please Read Before Posting A Hijack This Log, and I have used the above softwares again to fix it, and nothing.  Below is my log file for Hijack This.  Any help would be appreciated!




Logfile of HijackThis v1.99.1
Scan saved at 9:32:33 PM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MSU\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcneese.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -

http://www.microsoftoffice.com/productupdates/content/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130466803633
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130466783334
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{44E23EA0-8FA2-4D65-8414-E01B80694F28}: NameServer = 192.251.100.140,192.251.101.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mcneese.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mcneese.edu
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\irjql5151.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: st3i - C:\WINDOWS\q99949229.dll
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - (no file)
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
Logged

PeAcE
**********

Shon
ChickLitGurrl :: Musings of a SOON-TO-BE Bestseller
http://chicklitgurrl.blogspot.com
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #1 on: October 29, 2005, 09:12:06 AM »

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)
When SpySweeper starts, please accept any prompts to update definitions. Exit the program after you have updated.

Download and install  CleanUp!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Reboot your computer into Safe Mode.  
Restart your computer and continually tapping the F8 key until a menu appears.  
Use your up arrow key to highlight Safe Mode then hit enter.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • ViewPoint  


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: st3i - C:\WINDOWS\q99949229.dll
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - (no file)
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - (no file)



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\Viewpoint\
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe
    C:\WINDOWS\system32\st3.dll
     C:\WINDOWS\q99949229.dll        


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Launch & use the diagnostic version of SpySweeper & configure it as followed:

  • Click on the Start button
  • After it has finished scanning, click the Next button
  • Allow Spysweeper to reboot your machine to remove the infected files.
# Reboot back to Normal Mode

Launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

## IMPORTANT - do not use your computer as you scan.

Logged

 
shonbacon
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 15


Bookmark and Share

View Profile
« Reply #2 on: October 30, 2005, 03:44:17 AM »

Okay,  I followed all the directions.

I could not find C:\Program Files\Viewpoint, C:\WINDOWS\system32\st3.dll, and C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe; however, there was an "ibm00008.exe" in the folder.

I could not delete C:\WINDOWS\q99949229.dll.


Below is my SpySweeper Log and my Hijack This Log.


----SPYSWEEPER LOG-----

********
10:18 PM: |       Start of Session, Saturday, October 29, 2005       |
10:18 PM: Spy Sweeper started
10:18 PM: Sweep initiated using definitions version 564
10:18 PM: Starting Memory Sweep
10:19 PM: Memory Sweep Complete, Elapsed Time: 00:01:01
10:19 PM: Starting Registry Sweep
10:20 PM: Registry Sweep Complete, Elapsed Time:00:00:12
10:20 PM: Starting Cookie Sweep
10:20 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:20 PM: Starting File Sweep
10:29 PM: File Sweep Complete, Elapsed Time: 00:09:09
10:29 PM: Full Sweep has completed.  Elapsed time 00:10:31
10:29 PM: Traces Found: 0
********
9:27 PM: |       Start of Session, Saturday, October 29, 2005       |
9:27 PM: Spy Sweeper started
9:27 PM: Sweep initiated using definitions version 564
9:27 PM: Found Trojan Horse: trojan-downloader-2pursuit
9:27 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\st3\ || dllname (ID = 910576)
9:27 PM: st3.dll (ID = 910576)
9:27 PM: Starting Memory Sweep
9:28 PM:   Detected running threat: C:\WINDOWS\SYSTEM32\st3.dll (ID = 178361)
9:28 PM:   Found Adware: icannnews
9:28 PM:   Detected running threat: C:\WINDOWS\SYSTEM32\jt8o07l3e.dll (ID = 83)
9:28 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:28 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:28 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:28 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:29 PM:   Detected running threat: C:\WINDOWS\SYSTEM32\mjacm32.dll (ID = 83)
9:29 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:29 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:29 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:29 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:30 PM: Memory Sweep Complete, Elapsed Time: 00:03:07
9:30 PM: Starting Registry Sweep
9:30 PM:   Found Trojan Horse: trojan - zerotollerance
9:30 PM:   HKCR\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (ID = 608255)
9:30 PM:   HKLM\software\classes\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (ID = 609144)
9:30 PM:   Found Adware: trojan-backdoor-lev
9:30 PM:   HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.excn (ID = 609193)
9:30 PM:   Found Trojan Horse: trojan-backdoor-us15info
9:30 PM:   HKLM\software\microsoft\windows nt\currentversion\winlogon\ || shell (ID = 762897)
9:30 PM:   HKCR\clsid\{1b68470c-2def-493b-8a4a-8e2d81be4ea5}\  (5 subtraces) (ID = 910438)
9:30 PM:   HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {1b68470c-2def-493b-8a4a-8e2d81be4ea5} (ID = 910513)
9:30 PM:   HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\st3\  (10 subtraces) (ID = 910519)
9:30 PM:   HKLM\software\classes\clsid\{1b68470c-2def-493b-8a4a-8e2d81be4ea5}\  (5 subtraces) (ID = 910556)
9:30 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:30 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:30 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:30 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:30 PM:   HKU\S-1-5-21-828566072-4226927502-599927338-1005\software\microsoft\windows\currentversion\run\ || shell (ID = 650813)
9:30 PM:   HKU\S-1-5-21-828566072-4226927502-599927338-1005\software\microsoft\gg\conf\  (1 subtraces) (ID = 802702)
9:30 PM:   HKU\S-1-5-21-828566072-4226927502-599927338-1005\software\microsoft\st3\  (11 subtraces) (ID = 910473)
9:30 PM: Registry Sweep Complete, Elapsed Time:00:00:14
9:30 PM: Starting Cookie Sweep
9:30 PM:   Found Spy Cookie: 3 cookie
9:30 PM:   msu@3[1].txt (ID = 1959)
9:30 PM:   Found Spy Cookie: 888 cookie
9:30 PM:   msu@888[1].txt (ID = 2019)
9:30 PM:   Found Spy Cookie: websponsors cookie
9:30 PM:   msu@a.websponsors[2].txt (ID = 3665)
9:30 PM:   Found Spy Cookie: yieldmanager cookie
9:30 PM:   msu@ad.yieldmanager[2].txt (ID = 3751)
9:30 PM:   Found Spy Cookie: adknowledge cookie
9:30 PM:   msu@adknowledge[1].txt (ID = 2072)
9:30 PM:   Found Spy Cookie: hbmediapro cookie
9:30 PM:   msu@adopt.hbmediapro[2].txt (ID = 2768)
9:30 PM:   Found Spy Cookie: ask cookie
9:30 PM:   msu@ask[1].txt (ID = 2245)
9:30 PM:   Found Spy Cookie: azjmp cookie
9:30 PM:   msu@azjmp[2].txt (ID = 2270)
9:30 PM:   Found Spy Cookie: enhance cookie
9:30 PM:   msu@c.enhance[1].txt (ID = 2614)
9:30 PM:   Found Spy Cookie: clickandtrack cookie
9:30 PM:   msu@hits.clickandtrack[2].txt (ID = 2397)
9:30 PM:   Found Spy Cookie: metareward.com cookie
9:30 PM:   msu@metareward[1].txt (ID = 2990)
9:30 PM:   Found Spy Cookie: nextag cookie
9:30 PM:   msu@nextag[2].txt (ID = 5014)
9:30 PM:   Found Spy Cookie: reunion cookie
9:30 PM:   msu@reunion[2].txt (ID = 3255)
9:30 PM:   Found Spy Cookie: rn11 cookie
9:30 PM:   msu@rn11[2].txt (ID = 3261)
9:30 PM:   Found Spy Cookie: upspiral cookie
9:30 PM:   msu@www.upspiral[2].txt (ID = 3615)
9:30 PM:   msu@yieldmanager[1].txt (ID = 3749)
9:30 PM:   msu@ad.yieldmanager[2].txt (ID = 3751)
9:30 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:30 PM: Starting File Sweep
9:32 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:32 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:32 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:32 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:32 PM:   Found Trojan Horse: trojan-phisher-egold
9:32 PM:   phhfqlhk.exe (ID = 167138)
9:32 PM:   Found Adware: coolwebsearch (cws)
9:32 PM:   adsldpbc[3].dll (ID = 168772)
9:33 PM:   Found Adware: look2me
9:33 PM:   appwrap[1].exe (ID = 65739)
9:33 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:33 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:33 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:33 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:33 PM:   st3.dll (ID = 178361)
9:34 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:34 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:34 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:34 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:34 PM:   elf_bot[1].exe (ID = 167138)
9:35 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:35 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:35 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:35 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:36 PM:   Found Adware: targetsaver
9:36 PM:   113_dollarrevenue_4_0_3_9[1].exe (ID = 166444)
9:37 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:37 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:37 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:37 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:38 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:38 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:38 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:38 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:38 PM:   bw2.com (ID = 65739)
9:39 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:39 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:39 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:39 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:41 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:41 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:41 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:41 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:41 PM:   appwrap[1].exe (ID = 65722)
9:42 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:42 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:42 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:42 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:43 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:43 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:43 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:43 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:44 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:44 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:45 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:45 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:45 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:45 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:47 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:47 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:47 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:47 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:48 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:48 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:48 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:48 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:49 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:49 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:49 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:49 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:49 PM:   Warning: Invalid Stream
9:49 PM:   Warning: Invalid Stream
9:49 PM:   Warning: Invalid Stream
9:49 PM:   Warning: Invalid Stream
9:49 PM: File Sweep Complete, Elapsed Time: 00:19:01
9:49 PM: Full Sweep has completed.  Elapsed time 00:22:28
9:49 PM: Traces Found: 73
9:50 PM: Removal process initiated
9:50 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:50 PM:   The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:50 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:50 PM:   The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:51 PM:   Quarantining All Traces: look2me
9:51 PM:   Quarantining All Traces: trojan-backdoor-us15info
9:51 PM:   Quarantining All Traces: trojan-downloader-2pursuit
9:51 PM:   trojan-downloader-2pursuit is in use.  It will be removed on reboot.
9:51 PM:     st3.dll is in use.  It will be removed on reboot.
9:51 PM:     st3.dll is in use.  It will be removed on reboot.
9:51 PM:     C:\WINDOWS\SYSTEM32\st3.dll is in use.  It will be removed on reboot.
9:51 PM:   Quarantining All Traces: trojan-phisher-egold
9:51 PM:   Quarantining All Traces: coolwebsearch (cws)
9:51 PM:   Quarantining All Traces: icannnews
9:51 PM:   icannnews is in use.  It will be removed on reboot.
9:51 PM:     C:\WINDOWS\SYSTEM32\jt8o07l3e.dll is in use.  It will be removed on reboot.
9:51 PM:     C:\WINDOWS\SYSTEM32\mjacm32.dll is in use.  It will be removed on reboot.
9:51 PM:   Quarantining All Traces: targetsaver
9:51 PM:   Quarantining All Traces: trojan - zerotollerance
9:51 PM:   Quarantining All Traces: trojan-backdoor-lev
9:51 PM:   Quarantining All Traces: 3 cookie
9:51 PM:   Quarantining All Traces: 888 cookie
9:51 PM:   Quarantining All Traces: adknowledge cookie
9:51 PM:   Quarantining All Traces: ask cookie
9:51 PM:   Quarantining All Traces: azjmp cookie
9:51 PM:   Quarantining All Traces: clickandtrack cookie
9:51 PM:   Quarantining All Traces: enhance cookie
9:51 PM:   Quarantining All Traces: hbmediapro cookie
9:51 PM:   Quarantining All Traces: metareward.com cookie
9:51 PM:   Quarantining All Traces: nextag cookie
9:51 PM:   Quarantining All Traces: reunion cookie
9:51 PM:   Quarantining All Traces: rn11 cookie
9:51 PM:   Quarantining All Traces: upspiral cookie
9:51 PM:   Quarantining All Traces: websponsors cookie
9:51 PM:   Quarantining All Traces: yieldmanager cookie
9:51 PM:   Warning: Launched explorer.exe
9:51 PM:   Warning: Quarantine process could not restart Explorer.
9:52 PM:   Preparing to restart your computer. Please wait...
9:52 PM: Removal process completed.  Elapsed time 00:01:16
10:18 PM: Program Version 4.5.5  (Build 607)  Using Spyware Definitions 564
10:18 PM: |       End of Session, Saturday, October 29, 2005       |
********
9:22 PM: |       Start of Session, Saturday, October 29, 2005       |
9:22 PM: Spy Sweeper started
9:23 PM: Your spyware definitions have been updated.
9:23 PM: Updating spyware definitions
9:23 PM: Your definitions are up to date.
9:23 PM: Updating spyware definitions
9:23 PM: Your definitions are up to date.
9:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:24 PM: Updating spyware definitions
9:24 PM: Your definitions are up to date.
9:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:27 PM: Memory Shield: Found: Memory-resident threat trojan-downloader-2pursuit, version 1.0.0.0
9:27 PM: Detected running threat: trojan-downloader-2pursuit
9:27 PM: |       End of Session, Saturday, October 29, 2005       |




----HIJACK THIS----

Logfile of HijackThis v1.99.1
Scan saved at 10:36:09 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MSU\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcneese.edu/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.microsoftoffice.com/productupdates/content/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130466803633
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130466783334
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{44E23EA0-8FA2-4D65-8414-E01B80694F28}: NameServer = 192.251.100.140,192.251.101.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mcneese.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mcneese.edu
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Logged

PeAcE
**********

Shon
ChickLitGurrl :: Musings of a SOON-TO-BE Bestseller
http://chicklitgurrl.blogspot.com
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #3 on: October 30, 2005, 07:36:31 AM »

You did a full SpySweeper sweeper when you installed it. That's why ceratin files aren't to be found. Your pop ups should have abated by now. We'll still need to repair the Registry keys that this infection has corrupted.

Please do the following:

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close all other opened programs before running this tool

From within the newly created folder, locate & run L2mfix.bat
Select option #2 - Run Fix - by typing 2

Press any key to reboot your computer.
After the reboot, your Desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Save the contents of that log as I shall require you to post it in your next reply after completing the fix.

DO NOT RUN ANY OTHER FILES IN THE L2MFIX FOLDER UNLESS INSTRUCTED

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please disable Webroot SpySweeper, as it hinder the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
  1. Go to the Options>Program Options
  2. Uncheck Load at Windows Startup
  3. Click Shields & uncheck all items there
  4. Uncheck Home page shield.
  5. Automaticly restore default without notifiction  
  6.  


Then, have HijackThis fix these entries:

O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run CleanUp again using the earlier settings.

Then, perform an online scan with Internet Explorer with  Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls  

Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.  
  • Click on see report. Then click Save report

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log
« Last Edit: October 30, 2005, 07:48:36 AM by sUBs » Logged

 
shonbacon
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 15


Bookmark and Share

View Profile
« Reply #4 on: October 30, 2005, 03:08:31 PM »

I haven't had a pop up ad since the last job I did.  That is VERY good! :-)  

I followed your latest directions, and here are the three log files you requested:



-----1st file-----


Setting Directory
C:\
C:\
System Rebooted!
 
Running From:
C:\
 
killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 576 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 636 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\c8000idme80a0.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CHMCAT.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\DDSER.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp2203foe.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpj0031me.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir2ml5f11.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j46m0ej1eho.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j4l40e3qeh.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jR6m0ej1eho.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0lqla351d.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KFDLV1.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LACALSPL.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6209joe.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvlq0935e.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MNRUI.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nzrsko.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o4840elqehqe0.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\OSFFILT.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q8ps0i77e8.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qlery.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\QUJavaNative.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RISMANS.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SOCUR32.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wospdmod.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WQBVW.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WTNOTIFY.DLL
        1 file(s) copied.
deleting: C:\WINDOWS\system32\c8000idme80a0.dll  
Successfully Deleted: C:\WINDOWS\system32\c8000idme80a0.dll
deleting: C:\WINDOWS\system32\CHMCAT.DLL  
Successfully Deleted: C:\WINDOWS\system32\CHMCAT.DLL
deleting: C:\WINDOWS\system32\DDSER.DLL  
Successfully Deleted: C:\WINDOWS\system32\DDSER.DLL
deleting: C:\WINDOWS\system32\fp2203foe.dll  
Successfully Deleted: C:\WINDOWS\system32\fp2203foe.dll
deleting: C:\WINDOWS\system32\fpj0031me.dll  
Successfully Deleted: C:\WINDOWS\system32\fpj0031me.dll
deleting: C:\WINDOWS\system32\ir2ml5f11.dll  
Successfully Deleted: C:\WINDOWS\system32\ir2ml5f11.dll
deleting: C:\WINDOWS\system32\j46m0ej1eho.dll  
Successfully Deleted: C:\WINDOWS\system32\j46m0ej1eho.dll
deleting: C:\WINDOWS\system32\j4l40e3qeh.dll  
Successfully Deleted: C:\WINDOWS\system32\j4l40e3qeh.dll
deleting: C:\WINDOWS\system32\jR6m0ej1eho.dll  
Successfully Deleted: C:\WINDOWS\system32\jR6m0ej1eho.dll
deleting: C:\WINDOWS\system32\k0lqla351d.dll  
Successfully Deleted: C:\WINDOWS\system32\k0lqla351d.dll
deleting: C:\WINDOWS\system32\KFDLV1.DLL  
Successfully Deleted: C:\WINDOWS\system32\KFDLV1.DLL
deleting: C:\WINDOWS\system32\LACALSPL.DLL  
Successfully Deleted: C:\WINDOWS\system32\LACALSPL.DLL
deleting: C:\WINDOWS\system32\lv6209joe.dll  
Successfully Deleted: C:\WINDOWS\system32\lv6209joe.dll
deleting: C:\WINDOWS\system32\lvlq0935e.dll  
Successfully Deleted: C:\WINDOWS\system32\lvlq0935e.dll
deleting: C:\WINDOWS\system32\MNRUI.DLL  
Successfully Deleted: C:\WINDOWS\system32\MNRUI.DLL
deleting: C:\WINDOWS\system32\nzrsko.dll  
Successfully Deleted: C:\WINDOWS\system32\nzrsko.dll
deleting: C:\WINDOWS\system32\o4840elqehqe0.dll  
Successfully Deleted: C:\WINDOWS\system32\o4840elqehqe0.dll
deleting: C:\WINDOWS\system32\OSFFILT.DLL  
Successfully Deleted: C:\WINDOWS\system32\OSFFILT.DLL
deleting: C:\WINDOWS\system32\q8ps0i77e8.dll  
Successfully Deleted: C:\WINDOWS\system32\q8ps0i77e8.dll
deleting: C:\WINDOWS\system32\qlery.dll  
Successfully Deleted: C:\WINDOWS\system32\qlery.dll
deleting: C:\WINDOWS\system32\QUJavaNative.dll  
Successfully Deleted: C:\WINDOWS\system32\QUJavaNative.dll
deleting: C:\WINDOWS\system32\RISMANS.DLL  
Successfully Deleted: C:\WINDOWS\system32\RISMANS.DLL
deleting: C:\WINDOWS\system32\SOCUR32.DLL  
Successfully Deleted: C:\WINDOWS\system32\SOCUR32.DLL
deleting: C:\WINDOWS\system32\wospdmod.dll  
Successfully Deleted: C:\WINDOWS\system32\wospdmod.dll
deleting: C:\WINDOWS\system32\WQBVW.DLL  
Successfully Deleted: C:\WINDOWS\system32\WQBVW.DLL
deleting: C:\WINDOWS\system32\WTNOTIFY.DLL  
Successfully Deleted: C:\WINDOWS\system32\WTNOTIFY.DLL
 
 
Zipping up files for submission:
  adding: c8000idme80a0.dll (188 bytes security) (deflated 4%)
  adding: CHMCAT.DLL (188 bytes security) (deflated 5%)
  adding: DDSER.DLL (188 bytes security) (deflated 5%)
  adding: fp2203foe.dll (188 bytes security) (deflated 4%)
  adding: fpj0031me.dll (188 bytes security) (deflated 4%)
  adding: ir2ml5f11.dll (188 bytes security) (deflated 5%)
  adding: j46m0ej1eho.dll (188 bytes security) (deflated 4%)
  adding: j4l40e3qeh.dll (188 bytes security) (deflated 5%)
  adding: jR6m0ej1eho.dll (188 bytes security) (deflated 5%)
  adding: k0lqla351d.dll (188 bytes security) (deflated 5%)
  adding: KFDLV1.DLL (188 bytes security) (deflated 5%)
  adding: LACALSPL.DLL (188 bytes security) (deflated 5%)
  adding: lv6209joe.dll (188 bytes security) (deflated 5%)
  adding: lvlq0935e.dll (188 bytes security) (deflated 5%)
  adding: MNRUI.DLL (188 bytes security) (deflated 4%)
  adding: nzrsko.dll (188 bytes security) (deflated 6%)
  adding: o4840elqehqe0.dll (188 bytes security) (deflated 5%)
  adding: OSFFILT.DLL (188 bytes security) (deflated 5%)
  adding: q8ps0i77e8.dll (188 bytes security) (deflated 5%)
  adding: qlery.dll (188 bytes security) (deflated 5%)
  adding: QUJavaNative.dll (188 bytes security) (deflated 4%)
  adding: RISMANS.DLL (188 bytes security) (deflated 5%)
  adding: SOCUR32.DLL (188 bytes security) (deflated 5%)
  adding: wospdmod.dll (188 bytes security) (deflated 4%)
  adding: WQBVW.DLL (188 bytes security) (deflated 5%)
  adding: WTNOTIFY.DLL (188 bytes security) (deflated 4%)
  adding: clear.reg (188 bytes security) (deflated 52%)
  adding: lo2.txt (188 bytes security) (deflated 85%)
  adding: test.txt (188 bytes security) (deflated 78%)
  adding: test2.txt (188 bytes security) (deflated 33%)
  adding: test3.txt (188 bytes security) (deflated 33%)
  adding: test5.txt (188 bytes security) (deflated 33%)
  adding: xfind.txt (188 bytes security) (deflated 71%)
 
Restoring Registry Permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Read           BUILTIN\Power Users
(ID-IO) ALLOW  Read           BUILTIN\Power Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
Restoring Windows Update Certificates.:
 
deleting local copy: c8000idme80a0.dll  
deleting local copy: CHMCAT.DLL  
deleting local copy: DDSER.DLL  
deleting local copy: fp2203foe.dll  
deleting local copy: fpj0031me.dll  
deleting local copy: ir2ml5f11.dll  
deleting local copy: j46m0ej1eho.dll  
deleting local copy: j4l40e3qeh.dll  
deleting local copy: jR6m0ej1eho.dll  
deleting local copy: k0lqla351d.dll  
deleting local copy: KFDLV1.DLL  
deleting local copy: LACALSPL.DLL  
deleting local copy: lv6209joe.dll  
deleting local copy: lvlq0935e.dll  
deleting local copy: MNRUI.DLL  
deleting local copy: nzrsko.dll  
deleting local copy: o4840elqehqe0.dll  
deleting local copy: OSFFILT.DLL  
deleting local copy: q8ps0i77e8.dll  
deleting local copy: qlery.dll  
deleting local copy: QUJavaNative.dll  
deleting local copy: RISMANS.DLL  
deleting local copy: SOCUR32.DLL  
deleting local copy: wospdmod.dll  
deleting local copy: WQBVW.DLL  
deleting local copy: WTNOTIFY.DLL  
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

 
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\c8000idme80a0.dll
C:\WINDOWS\system32\CHMCAT.DLL
C:\WINDOWS\system32\DDSER.DLL
C:\WINDOWS\system32\fp2203foe.dll
C:\WINDOWS\system32\fpj0031me.dll
C:\WINDOWS\system32\ir2ml5f11.dll
C:\WINDOWS\system32\j46m0ej1eho.dll
C:\WINDOWS\system32\j4l40e3qeh.dll
C:\WINDOWS\system32\jR6m0ej1eho.dll
C:\WINDOWS\system32\k0lqla351d.dll
C:\WINDOWS\system32\KFDLV1.DLL
C:\WINDOWS\system32\LACALSPL.DLL
C:\WINDOWS\system32\lv6209joe.dll
C:\WINDOWS\system32\lvlq0935e.dll
C:\WINDOWS\system32\MNRUI.DLL
C:\WINDOWS\system32\nzrsko.dll
C:\WINDOWS\system32\o4840elqehqe0.dll
C:\WINDOWS\system32\OSFFILT.DLL
C:\WINDOWS\system32\q8ps0i77e8.dll
C:\WINDOWS\system32\qlery.dll
C:\WINDOWS\system32\QUJavaNative.dll
C:\WINDOWS\system32\RISMANS.DLL
C:\WINDOWS\system32\SOCUR32.DLL
C:\WINDOWS\system32\wospdmod.dll
C:\WINDOWS\system32\WQBVW.DLL
C:\WINDOWS\system32\WTNOTIFY.DLL
 
Registry Entries that were Deleted:
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{62E6BBF0-9658-40F1-BF70-EAC5D338BD24}"=-
"{0E8F1F9B-B216-47D6-A130-EE53F305BFE5}"=-
"{C0AB56A4-3430-4A10-9F97-B1F2F7DD4896}"=-
"{66DA347D-D4E0-4754-9157-440EEDC13C0C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{62E6BBF0-9658-40F1-BF70-EAC5D338BD24}]
[-HKEY_CLASSES_ROOT\CLSID\{0E8F1F9B-B216-47D6-A130-EE53F305BFE5}]
[-HKEY_CLASSES_ROOT\CLSID\{C0AB56A4-3430-4A10-9F97-B1F2F7DD4896}]
[-HKEY_CLASSES_ROOT\CLSID\{66DA347D-D4E0-4754-9157-440EEDC13C0C}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************





-----ACTIVE SCAN LOG-----


Incident                      Status                        Location                                                                                                                                                                                                                                                        

Adware:adware/secure32        No disinfected                C:\WINDOWS\secure32.html                                                                                                                                                                                                                                        
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[c8000idme80a0.dll]                                                                                                                                                                                                                                
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[CHMCAT.DLL]                                                                                                                                                                                                                                      
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[DDSER.DLL]                                                                                                                                                                                                                                        
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[fp2203foe.dll]                                                                                                                                                                                                                                    
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[fpj0031me.dll]                                                                                                                                                                                                                                    
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[ir2ml5f11.dll]                                                                                                                                                                                                                                    
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[j46m0ej1eho.dll]                                                                                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[j4l40e3qeh.dll]                                                                                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[jR6m0ej1eho.dll]                                                                                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[k0lqla351d.dll]                                                                                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[KFDLV1.DLL]                                                                                                                                                                                                                                      
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[LACALSPL.DLL]                                                                                                                                                                                                                                    
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[lv6209joe.dll]                                                                                                                                                                                                                                    
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[lvlq0935e.dll]                                                                                                                                                                                                                                    
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[MNRUI.DLL]                                                                                                                                                                                                                                        
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[nzrsko.dll]                                                                                                                                                                                                                                      
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[o4840elqehqe0.dll]                                                                                                                                                                                                                                
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[OSFFILT.DLL]                                                                                                                                                                                                                                      
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[q8ps0i77e8.dll]                                                                                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[qlery.dll]                                                                                                                                                                                                                                        
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[QUJavaNative.dll]                                                                                                                                                                                                                                
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[RISMANS.DLL]                                                                                                                                                                                                                                      
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[SOCUR32.DLL]                                                                                                                                                                                                                                      
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[wospdmod.dll]                                                                                                                                                                                                                                    
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[WQBVW.DLL]                                                                                                                                                                                                                                        
Adware:Adware/Look2Me         No disinfected                C:\backup.zip[WTNOTIFY.DLL]                                                                                                                                                                                                                                    
Possible Virus.               No disinfected                C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00008.dll                                                                                                                                                                                        
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP29\A0002738.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP41\A0003243.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP41\A0003293.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP41\A0003298.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP41\A0003315.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP41\A0003323.dll                                                                                                                                                                  
Adware:Adware/nCase           No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP43\A0003768.exe                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP43\A0003774.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP43\A0003793.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP43\A0003797.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP43\A0003800.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP43\A0003805.dll                                                                                                                                                                  
Virus:Trj/Ldpinch.LV          Disinfected                   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP43\A0003807.dll                                                                                                                                                                  
Virus:Trj/Ldpinch.LV          Disinfected                   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP43\A0003809.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0003950.dll                                                                                                                                                                  
Virus:Trj/Stwoyle.A           Disinfected                   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0003953.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0003954.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004033.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004034.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004035.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004036.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004037.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004038.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004039.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004040.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004041.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004042.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004043.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004044.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004045.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004046.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004047.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004048.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004049.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004050.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004051.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004052.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004053.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004054.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004055.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004056.dll                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004057.DLL                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP44\A0004058.DLL                                                                                                                                                                  
Virus:Trj/Downloader.FUH      Disinfected                   C:\WINDOWS\q99949229.dll                                                                                                                                                                                                                                        
Adware:Adware/Secure32        No disinfected                C:\WINDOWS\secure32.html                                                                                                                                                                                                                                        
Virus:Trj/Qhost.Y             Disinfected                   C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts





-----HIJACK THIS LOG-----


Logfile of HijackThis v1.99.1
Scan saved at 7:04:46 AM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MSU\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcneese.edu/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.microsoftoffice.com/productupdates/content/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130466803633
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130466783334
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{44E23EA0-8FA2-4D65-8414-E01B80694F28}: NameServer = 192.251.100.140,192.251.101.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mcneese.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mcneese.edu
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Logged

PeAcE
**********

Shon
ChickLitGurrl :: Musings of a SOON-TO-BE Bestseller
http://chicklitgurrl.blogspot.com
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #5 on: October 30, 2005, 07:49:43 PM »

C:\backup.zip is a backup folder created by the L2Mfix tool. We have no use for it now. You may safely delete it.

Download these files/programs & save to Desktop :

KillBox v2.0.0.175.zip

Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

SpywareBlaster 3.4
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4  - Add the old p*rn sites domain


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =  


Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00008.dll
    C:\WINDOWS\secure32.html
     
*  Go to the File menu, and choose Paste from Clipboard
*  Click on the dropdown menu next to Full Path of File to Delete field.
*  Verify that the filenames you pasted are found there
*  Click the RED X button.
*  Click Yes at the Delete on Reboot prompt.
*  Click Yes at the 'Pending Operations prompt'.

# If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


After you have rebooted, please post a new HJT log.
Let me know if you sttill have issues with your machine



Logged

 
shonbacon
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 15


Bookmark and Share

View Profile
« Reply #6 on: October 31, 2005, 04:50:16 AM »

I haven't had a problem with the computer all day, thank goodness.

Below is the latest Hijack This log:



Logfile of HijackThis v1.99.1
Scan saved at 10:46:35 PM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MSU\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcneese.edu/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -

http://www.microsoftoffice.com/productupdates/content/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130466803633
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130466783334
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{44E23EA0-8FA2-4D65-8414-E01B80694F28}: NameServer = 192.251.100.140,192.251.101.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mcneese.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mcneese.edu
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy

Sweeper\WRSSSDK.exe

Logged

PeAcE
**********

Shon
ChickLitGurrl :: Musings of a SOON-TO-BE Bestseller
http://chicklitgurrl.blogspot.com
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #7 on: October 31, 2005, 08:51:43 AM »

Your system is clean    

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Clear & reset System Restore's cache

    1. click Start >> Run - type SYSDM.CPL & press Enter
    2. Select the System Restore Tab
    3. Tick on the checkbox - Turn off System Restore on all drives
    4. Click Apply
    5. Then untick the same checkbox & click OK  


  2. DISABLE THE VIEWING OF SYSTEM FILES

  3. From Windows Explorer, go to Tools>Folder Options> View tab.
    • Enable - Show hidden files and folder
    • Disable - Hide file extensions for known types
    • Disable - Hide protected operating system files
    Click Yes to confirm & then click OK

  4. Make your Internet Explorer more secure -  This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
        Change the Download unsigned ActiveX controls to Disable
        Change the Initialize and script ActiveX controls not marked as safe to Disable
        Change the Installation of desktop items to Prompt
        Change the Launching programs and files in an IFRAME to Prompt
        Change the Navigate sub-frames across different domains to Prompt
    5. When all these settings have been made, click on the OK button.
    6. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    7. Next press the Apply button and then the OK to exit the Internet Properties page.


  5. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine.  This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources


  6. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish).  If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  7. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.  Without a firewall your computer is succeptible to being hacked and taken over.  I am very serious about this and see it happen almost every day with my clients.  Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls


  8. Visit Microsoft's Windows Update Site Frequently - It is important that you visit windowsupdate.com regularly.  This will ensure your computer has always the latest security updates available installed on your computer.  If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  9. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.  This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.  You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


  10. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware,  & Hijackers from Your Computer

  11. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware


  12. Update all these programs regularly - Make sure you update all the programs I have listed regularly.  Without regular updates you WILL NOT be protected when new malicious programs are released.


  13. Winpatrol -  Download and install the free version of Winpatrol.

    A tutorial for this product is located here  Using Winpatrol to protect your computer from malicious software


  14. IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system.  It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


  15. MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc.  Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer


  16. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program!  (AOL, Yahoo, ICQ, IRC, MSN)


  17. Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.


  18. Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.


  19. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.


  20. Google Toolbar - Get the free google toolbar to help stop pop up windows.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Follow this list and your potential for being infected again will reduce dramatically. Your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.  

Please respond to this thread one more time so we can mark this thread as resolved.
Logged

 
shonbacon
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 15


Bookmark and Share

View Profile
« Reply #8 on: November 01, 2005, 05:03:05 AM »

Thank you so much for all of your help.  I have heeded everything from your prior post--I'm using Firefox right now! :-)

Again, thank you!  Here's to happy and safe computer play.
Logged

PeAcE
**********

Shon
ChickLitGurrl :: Musings of a SOON-TO-BE Bestseller
http://chicklitgurrl.blogspot.com
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page October 03, 2016, 01:08:28 PM