Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Look2me adware infection [RESOLVED]


  • This topic is locked This topic is locked

#1
Fluffier

Fluffier

    New Member

  • Member
  • Pip
  • 5 posts
My first post here, so please correct any wrongdoings.

Thank you very much in advance for any help.

My system was having instability issues and i decided that it was finally time to do another fresh install of windows.
Install completed, and i booted. But the system was even slower. I tend to forget this after a few weeks after the install
but it appears i install some sort of malware / trojan / whatever each and every time i reinstall windows. This is from both
an original winxp cd and a dvd copy of it with slipstreamed ethernet and sataraid drivers.

The symptom is that one of the svchost.exe processes uses 100% cputime which slows down the system extremely while installing
backdoors, trojans and even more malware in the background.

So i downloaded avgfree antivirus and Ad Aware Se personal, ran a scan and made a terrifying discovery. 200-300 different
kinds of viruses, malwares and more. With automated scans i got rid of most, but about 30-50 remained.

Then i came here, went trough the thread and following those steps given there i`v now managed to narrow it down to one
malware with tree infections: Look2me

Programs used:
Avgfree
Cwshredder
l2mfix
Ad-aware
Spybot s&d
Trojan hunter
X-Cleaner
Ewido

Neither of these programs sucsessfully removed look2me, in safemode or in windows.

More info:
I also updated windows with about 40-50 smaller security updates, tried to install sp2 but for some reason failed.

My Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 04:53:03, on 01.03.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sysctl.exe
C:\INSTAL~1\AVGFRE~1\avgcc.exe
C:\Programfiler\TrojanHunter 4.2\THGuard.exe
C:\Programfiler\Messenger\MSMSGS.EXE
C:\Documents and Settings\Fluffier\Programdata\?ssembly\r?gsvr32.exe
C:\WINDOWS\System32\WNSXS~1\chkntfs.exe
C:\INSTAL~1\AVGFRE~1\avgamsvr.exe
C:\INSTAL~1\AVGFRE~1\avgupsvc.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\Installerte Programmer\Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programfiler\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Fluffier\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: (no name) - {88EA62F3-826E-FE9D-1C82-F75A633840E2} - C:\WINDOWS\System32\fwb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ahmb] c:\windows\eee2.exe
O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\auditchk.exe
O4 - HKLM\..\Run: [sysctl32] sysctl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\INSTAL~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Printer] C:\WINDOWS\System32\auditchk.exe
O4 - HKLM\..\RunServices: [sysctl32] sysctl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Printer] C:\WINDOWS\System32\auditchk.exe
O4 - HKCU\..\Run: [Sxid] C:\Documents and Settings\Fluffier\Programdata\?ssembly\r?gsvr32.exe
O4 - HKCU\..\Run: [Ibpd] "C:\WINDOWS\System32\WNSXS~1\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141168557166
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\m0jula191d.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\INSTAL~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\INSTAL~1\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe


  • 0

Advertisements


#2
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi Fluffier

Welcome to G2G! :tazz:

* Click here to download Look2Me-Destroyer.exe and save it to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message:
    • Done removing infected files! Look2Me-Destroyer will now shutdown your computer
  • Click OK then your computer will shutdown.
  • Wait 60 seconds then turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX
  • 0

#3
Fluffier

Fluffier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you for an extremely fast reply! : - )

Here is the l2m-Destroyer log:

Look2Me-Destroyer V1.0.7

Scanning for infected files.....
Scan started at 01.03.2006 05:36:16

Infected! C:\WINDOWS\system32\m0jula191d.dll
Infected! C:\WINDOWS\system32\crmdlg32.dll
Infected! C:\WINDOWS\system32\gp6ol3j31.dll
Infected! C:\WINDOWS\system32\jtjq0715e.dll
Infected! C:\WINDOWS\system32\m0jula191d.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\m0jula191d.dll
C:\WINDOWS\system32\m0jula191d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\crmdlg32.dll
C:\WINDOWS\system32\crmdlg32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gp6ol3j31.dll
C:\WINDOWS\system32\gp6ol3j31.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jtjq0715e.dll
C:\WINDOWS\system32\jtjq0715e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\m0jula191d.dll
C:\WINDOWS\system32\m0jula191d.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8109EAEA-4351-46C6-A17B-8B837F621A44}"
HKCR\Clsid\{8109EAEA-4351-46C6-A17B-8B837F621A44}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4D75AEDB-E7AF-4180-B02E-D9E5E737EAB8}"
HKCR\Clsid\{4D75AEDB-E7AF-4180-B02E-D9E5E737EAB8}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D7FC1A9B-CE7D-47F2-BA0E-DB5EC99292B6}"
HKCR\Clsid\{D7FC1A9B-CE7D-47F2-BA0E-DB5EC99292B6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{39C00C30-38A4-4734-800B-80054272308F}"
HKCR\Clsid\{39C00C30-38A4-4734-800B-80054272308F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2C4A1D35-5125-4860-9B5D-238BB9C1B5C1}"
HKCR\Clsid\{2C4A1D35-5125-4860-9B5D-238BB9C1B5C1}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{507B8F5D-CF6B-4610-9DF5-9F8B63FEA21F}"
HKCR\Clsid\{507B8F5D-CF6B-4610-9DF5-9F8B63FEA21F}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administratorer - Succeeded


And this be the hijack file.
[code=auto:0]Logfile of HijackThis v1.99.1
Scan saved at 05:40:08, on 01.03.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sysctl.exe
C:\INSTAL~1\AVGFRE~1\avgcc.exe
C:\Programfiler\Messenger\MSMSGS.EXE
C:\Documents and Settings\Fluffier\Programdata\?ssembly\r?gsvr32.exe
C:\WINDOWS\System32\WNSXS~1\chkntfs.exe
C:\INSTAL~1\AVGFRE~1\avgamsvr.exe
C:\INSTAL~1\AVGFRE~1\avgupsvc.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Installerte Programmer\Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Fluffier\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: (no name) - {88EA62F3-826E-FE9D-1C82-F75A633840E2} - C:\WINDOWS\System32\fwb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ahmb] c:\windows\eee2.exe
O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\auditchk.exe
O4 - HKLM\..\Run: [sysctl32] sysctl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\INSTAL~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Printer] C:\WINDOWS\System32\auditchk.exe
O4 - HKLM\..\RunServices: [sysctl32] sysctl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Printer] C:\WINDOWS\System32\auditchk.exe
O4 - HKCU\..\Run: [Sxid] C:\Documents and Settings\Fluffier\Programdata\?ssembly\r?gsvr32.exe
O4 - HKCU\..\Run: [Ibpd] "C:\WINDOWS\System32\WNSXS~1\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141168557166
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\INSTAL~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\INSTAL~1\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe


I dunno if this worked or not, so i will scan for it now. Will edit my post as soon as i find out.
  • 0

#4
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Please don't enclose the logs you post in the code tags. That makes them more difficult to read.

Now please click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Navigate to the C:\Documents and Settings\Fluffier\Programdata folder. See if you can find this folder:

?ssembly

The actual name of the folder will not begin with the question mark. ? is a wild card. The name will probably be Assembly.

Go to the forum here and upload ALL the files found in that folder.

Here are the directions for uploading the files:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the files on your computer. If there are multiple files to be uploaded click the "More attachments" button for each extra file and browse to the files. When all the files are listed in the windows click "Post" to upload the files.

Don't forget to post a link to your thread here.


* Run ActiveScan online virus scan here

When the scan is finished, save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan


I am about to sign off for the night so I will not reply again until sometime tomorrow afternoon.
  • 0

#5
Fluffier

Fluffier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
This is the file:
http://www.thespykil...0e&topic=1224.0

I also wanted to tell you that i ran avgfree, spybot s&d , ad-aware and ewido and found nothing but a few tracking cookies.

Preparing to do that online scan now.

Edit:
Online scan revealed the following:


Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Fluffier\Lokale innstillinger\Temp\!update.exe
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Fluffier\Programdata\Mozilla\Firefox\Profiles\hsrsgzfb.default\cookies.txt[]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Fluffier\Skrivebord\Anti Spyware & Malware programs\l2mfix.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-73586283-1214440339-682003330-1003\Dc3\Process.exe
Adware:Adware/BroadcastPC Not disinfected C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\R6CPZESH\DR21206[1].exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\W?nSxS\chkntfs.exe
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini

Hijack file:

Logfile of HijackThis v1.99.1
Scan saved at 06:45:27, on 01.03.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sysctl.exe
C:\INSTAL~1\AVGFRE~1\avgcc.exe
C:\Programfiler\Messenger\MSMSGS.EXE
C:\Documents and Settings\Fluffier\Programdata\?ssembly\r?gsvr32.exe
C:\WINDOWS\System32\WNSXS~1\chkntfs.exe
C:\INSTAL~1\AVGFRE~1\avgamsvr.exe
C:\INSTAL~1\AVGFRE~1\avgupsvc.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Installerte Programmer\Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Fluffier\Skrivebord\Anti Spyware & Malware programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: (no name) - {88EA62F3-826E-FE9D-1C82-F75A633840E2} - C:\WINDOWS\System32\fwb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ahmb] c:\windows\eee2.exe
O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\auditchk.exe
O4 - HKLM\..\Run: [sysctl32] sysctl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\INSTAL~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Printer] C:\WINDOWS\System32\auditchk.exe
O4 - HKLM\..\RunServices: [sysctl32] sysctl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Printer] C:\WINDOWS\System32\auditchk.exe
O4 - HKCU\..\Run: [Sxid] C:\Documents and Settings\Fluffier\Programdata\?ssembly\r?gsvr32.exe
O4 - HKCU\..\Run: [Ibpd] "C:\WINDOWS\System32\WNSXS~1\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141168557166
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\INSTAL~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\INSTAL~1\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe

Edited by Fluffier, 28 February 2006 - 11:54 PM.

  • 0

#6
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Click here to download ATF Cleaner by Atribune and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • If you use Firefox:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
[/list]
* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R3 - URLSearchHook: (no name) - {88EA62F3-826E-FE9D-1C82-F75A633840E2} - C:\WINDOWS\System32\fwb.dll (file missing)

O4 - HKLM\..\Run: [ahmb] c:\windows\eee2.exe

O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe

O4 - HKLM\..\Run: [ahkw] C:\windows\eee2.exe

O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\auditchk.exe

O4 - HKLM\..\Run: [sysctl32] sysctl.exe

O4 - HKLM\..\RunServices: [Printer] C:\WINDOWS\System32\auditchk.exe

O4 - HKLM\..\RunServices: [sysctl32] sysctl.exe

O4 - HKCU\..\Run: [Printer] C:\WINDOWS\System32\auditchk.exe

O4 - HKCU\..\Run: [Sxid] C:\Documents and Settings\Fluffier\Programdata\?ssembly\r?gsvr32.exe

O4 - HKCU\..\Run: [Ibpd] "C:\WINDOWS\System32\WNSXS~1\chkntfs.exe" -vt ndrv

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\



* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\WINDOWS\System32\sysctl.exe

    C:\WINDOWS\system32\WinSxS\chkntfs.exe

    C:\WINDOWS\ubber60.ini

    C:\windows\eee2.exe

    C:\WINDOWS\System32\auditchk.exe

    C:\Documents and Settings\Fluffier\Programdata\Assembly\r_gsvr32.exe


  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.

* Restart back into Windows normally now.


* Run Kaspersky online virus scan here.

When given the option, choose the "Extended database" for the scan.

When the scan is finished, Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan
  • 0

#7
Fluffier

Fluffier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you. I followed your instructions.

Note: I changed my antivirus program from Avgfree to F-Secure.

Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 01:35:43, on 02.03.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\F-Secure\Common\FSM32.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programfiler\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Programfiler\F-Secure\Common\FSMA32.EXE
C:\Programfiler\F-Secure\Common\FSMB32.EXE
C:\Programfiler\F-Secure\Anti-Virus\fssm32.exe
C:\Programfiler\F-Secure\Common\FCH32.EXE
C:\Programfiler\F-Secure\Common\FAMEH32.EXE
C:\Programfiler\F-Secure\Anti-Virus\fsqh.exe
C:\Programfiler\F-Secure\Anti-Virus\fsrw.exe
C:\Programfiler\F-Secure\Common\FNRB32.EXE
C:\Programfiler\F-Secure\Common\FIH32.EXE
C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe
C:\Programfiler\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Programfiler\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Installerte Programmer\Firefox\firefox.exe
C:\Documents and Settings\Fluffier\Skrivebord\Anti Spyware & Malware programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programfiler\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Programfiler\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\Programfiler\F-Secure\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\f-secure\fsps\program\fslsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141168557166
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programfiler\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programfiler\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FSMA32.EXE



And here is my kaspersky onlinescanner report:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, March 02, 2006 1:34:07 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 2/03/2006
Kaspersky Anti-Virus database records: 179551
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 59533
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 00:37:50

Infected Object Name / Virus Name / Last Action
D:\UWXPCD\$OEM$\$$\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
D:\UWXPCD.iso/_OEM_/__/SYSTEM32/CMDOW.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
D:\UWXPCD.iso ISO image: infected - 1 skipped
F:\Apps\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
F:\Apps\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

Scan process completed.





If there isnt any more steps to be done, i would like to ask you if you could tell me the name of the virus you helped me remove?
Also thank you very much for your effort to help me. Really appreciated!

Edited by Fluffier, 01 March 2006 - 06:38 PM.

  • 0

#8
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
What you had was Purity scan malware.

How is everything now?

Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.
  • 0

#9
Fluffier

Fluffier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
To my eyes my system seems to be working very well and im just in the process of arranging everything (just finished with my desktop) i want it and installing all the programs as i need. Pretty soon i should be all set for some enjoyable gaming and pc fun.

Thank you very much for helping me out. I really would have known what to do if you hadnt helped me. My isp partially had to block my line beacuse of all the trojans, and who knows how long it would have taken me to retrieve full functionality if i had to remove the virus by myself?

So yeah, thank you! :tazz:

Here is the log you requested:

Ad-Aware SE Personal
Anti-Virus Client Security
ATI Display Driver
Aureon 5.1 USB
BitTornado 0.3.7
CleanUp!
ewido anti-malware
F-Secure Anti-Virus Client Security - Automatic Update Agent
F-Secure Anti-Virus Client Security - E-Mail Scanning
F-Secure Anti-Virus Client Security - Internet Shield
F-Secure Anti-Virus Client Security - Virus & Spy Protection
F-Secure Anti-Virus Client Security - Web Traffic Scanning
GSpot Codec Information Appliance
HijackThis 1.99.1
Internet Download Accelerator version 4.4
Kaspersky On-line Scanner
Macromedia Flash Player 8
MediaTickets by OIN
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Mozilla Firefox (1.5)
NVIDIA Audio Driver
NVIDIA Ethernet Driver
Oppdatering for Windows XP (KB898461)
Oppdatering for Windows XP (KB910437)
Panda ActiveScan
QuickTime
Sikkerhetsoppdatering for Windows Media Player (KB911564)
Sikkerhetsoppdatering for Windows XP (KB890046)
Sikkerhetsoppdatering for Windows XP (KB893756)
Sikkerhetsoppdatering for Windows XP (KB896358)
Sikkerhetsoppdatering for Windows XP (KB896422)
Sikkerhetsoppdatering for Windows XP (KB896423)
Sikkerhetsoppdatering for Windows XP (KB896424)
Sikkerhetsoppdatering for Windows XP (KB896428)
Sikkerhetsoppdatering for Windows XP (KB899587)
Sikkerhetsoppdatering for Windows XP (KB899589)
Sikkerhetsoppdatering for Windows XP (KB899591)
Sikkerhetsoppdatering for Windows XP (KB900725)
Sikkerhetsoppdatering for Windows XP (KB901017)
Sikkerhetsoppdatering for Windows XP (KB901190)
Sikkerhetsoppdatering for Windows XP (KB901214)
Sikkerhetsoppdatering for Windows XP (KB902400)
Sikkerhetsoppdatering for Windows XP (KB904706)
Sikkerhetsoppdatering for Windows XP (KB905414)
Sikkerhetsoppdatering for Windows XP (KB905749)
Sikkerhetsoppdatering for Windows XP (KB905915)
Sikkerhetsoppdatering for Windows XP (KB908519)
Sikkerhetsoppdatering for Windows XP (KB911927)
Sikkerhetsoppdatering for Windows XP (KB912919)
Sikkerhetsoppdatering for Windows XP (KB913446)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Trillian
TrojanHunter 4.2
VideoLAN VLC media player 0.8.4a
WinAce Archiver
Winamp (remove only)
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP hurtigreparasjon - KB873339
Windows XP hurtigreparasjon - KB885250
Windows XP hurtigreparasjon - KB885835
Windows XP hurtigreparasjon - KB885836
Windows XP hurtigreparasjon - KB886185
Windows XP hurtigreparasjon - KB887472
Windows XP hurtigreparasjon - KB887742
Windows XP hurtigreparasjon - KB888113
Windows XP hurtigreparasjon - KB888302
Windows XP hurtigreparasjon - KB890859
Windows XP hurtigreparasjon - KB891781
Windows XP Service Pack 2
X-Cleaner Freeware
XviD 1.1 final uninstall
  • 0

#10
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Everything looks OK. :tazz:

* Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


* Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
  • 0

#11
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP