Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Alot of problems, please help [CLOSED]


  • This topic is locked This topic is locked

#16
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Can you tell me which 20 files are spyware related? We will delete them.

OK, we'll see if L2MFix can fix this up:

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

Advertisements


#17
Hitman0150

Hitman0150

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
the l2mfix thing didnt bring up a log, but i will try it again right now, the things that norton can not delete are as follows....
adware.ezula
hacktool.keygen.151552
hacktool.keygen.151552
adware.minibug
adware.180search
adware.powerscan
adware.superbar
adware.sahagent

Edited by Hitman0150, 10 June 2005 - 07:09 PM.

  • 0

#18
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Does Norton actually tell you the exact filenames?
  • 0

#19
Hitman0150

Hitman0150

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ok well i deleted some of the files norton couldnt delete and i am down to one file it can not delete, it is adware.look2me, the file name is LYCUI2.dll and it is located at c:\windows\system32\LYCUI2.dll
  • 0

#20
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

c:\windows\system32\LYCUI2.dll

Restart. Any problems now?

Give me a new HijackThis log and the L2MFix log I asked for earlier.
  • 0

#21
Hitman0150

Hitman0150

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
i kep getting nuker, dealtime, automotice,online poker ect... pop ups.... getting hijackthis log and l2mfix log asap.
  • 0

#22
Hitman0150

Hitman0150

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:38:50 AM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\dvd43\DVD43_Tray.exe
c:\windows\system32\nnldpl.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\system32\msxct.exe
C:\WINDOWS\system32\nnh5ff5k.exe
C:\Program Files\DVD Shrink\DVD Shrink 3.2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CDM\pywqwxjwoc.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/index.php
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {FC33D200-008C-77A8-7E2D-2E63C0810E6E} - C:\WINDOWS\system32\CDM\pywqwxjwoc.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "c:\documents and settings\mike\desktop\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitegov32.exe
O4 - HKLM\..\Run: [fzjtrp] c:\windows\system32\nnldpl.exe r
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [nnh5ff5k] C:\WINDOWS\system32\nnh5ff5k.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22....ex/HMAtchmt.ocx
O20 - Winlogon Notify: STOPzilla - IS3WLHandler.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#23
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, it's Aurora. Hopefully this will be a last fix for a while :tazz:

Make sure you get those prevention programs and install them when we are done.

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net...wnload/updates/ Do NOT the Ewido scan yet.

Please download Nailfix at http://www.noidea.us...050515010747824 Unzip it to the desktop but do NOT run it yet.

Download ETRemover and unzip it. Don't run it yet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. OK, before we go on, I want you to take note of this first. This program will wipe out all files in your Temporary folders, any file extensions that have a tilde (~) in it, .bak files, .chk files, .tmp files and index.dat files. Most of you should be ok with this, but there may be some who need these files. If you are one of them, do not follow this step. Post back a reply telling us about this. So if that's ok, then download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Save the log from the Ewido scan so that you can post it later.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {FC33D200-008C-77A8-7E2D-2E63C0810E6E} - C:\WINDOWS\system32\CDM\pywqwxjwoc.dll
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitegov32.exe
O4 - HKLM\..\Run: [fzjtrp] c:\windows\system32\nnldpl.exe r
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [nnh5ff5k] C:\WINDOWS\system32\nnh5ff5k.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Close all open windows except for HijackThis and click Fix Checked.

Uninstall these from the Add/Remove panel if listed:

WeirdOnTheWeb
BullsEye Network
BargainBuddy


Delete these if found:

c:\windows\system32\nnldpl.exe
C:\Program Files\BullsEye Network\
C:\Program Files\WeirdOnTheWeb\
C:\WINDOWS\system32\msxct.exe
C:\WINDOWS\system32\nnh5ff5k.exe
C:\WINDOWS\system32\CDM\
C:\WINDOWS\Nail.exe
c:\windows\system32\elitegov32.exe
c:\windows\system32\nnldpl.exe
C:\WINDOWS\svcproc.exe


Run ETRemover.exe now.

Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose No.

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the results here along with the new HijackThis log. Also post the Ewido scan results here.
  • 0

#24
Hitman0150

Hitman0150

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 06/16/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 7CF7-E628

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 7CF7-E628

Directory of C:\WINDOWS\system32

02/20/2005 09:35 AM 1,406 amazon-desk.ico
02/20/2005 09:35 AM 1,406 amazon.ico
2 File(s) 2,812 bytes
0 Dir(s) 19,066,425,344 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».
  • 0

#25
Hitman0150

Hitman0150

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:14:44 AM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/index.php
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "c:\documents and settings\mike\desktop\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22....ex/HMAtchmt.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#26
Hitman0150

Hitman0150

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
i am still getting pop ups....
  • 0

#27
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You should almost be clear now.

Where is the Ewido log file?

Delete these two files:

C:\WINDOWS\system32\amazon-desk.ico
C:\WINDOWS\system32\amazon.ico


Update Ad-aware and Spybot. Run their scans and delete the things they find.

Restart. Any popups still? If not:

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#28
Hitman0150

Hitman0150

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ewido found an infection it is file fjeploy.dll at c:\windows\system32 and infection spyware.look2me.ab
  • 0

#29
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete that file and restart. See if it's still detected now.

Just to be safe, give me a new HijackThis log and the following:

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!
  • 0

#30
Hitman0150

Hitman0150

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
**********************************************************************************
useragent:
**********************************************************************************
Shell Extension key:
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bszip.dll Wed Jun 1 2005 4:00:24p A.... 62,464 61.00 K
cqedui.dll Thu Jun 16 2005 6:57:32p ..S.R 234,784 229.28 K
dptmsft.dll Wed Jun 15 2005 10:51:10p ..S.R 235,466 229.95 K
kfdcz1.dll Wed Jun 15 2005 3:10:54p ..S.R 235,466 229.95 K
llkrn12n.dll Wed Jun 15 2005 1:57:18p ..S.R 235,466 229.95 K
mlaudite.dll Thu Jun 16 2005 6:57:38p ..S.R 234,784 229.28 K
pncrt.dll Sat Jun 11 2005 4:28:02p A.... 278,528 272.00 K
pndx5016.dll Sat Jun 11 2005 4:28:04p A.... 6,656 6.50 K
pndx5032.dll Sat Jun 11 2005 4:28:04p A.... 5,632 5.50 K
rmoc3260.dll Sat Jun 11 2005 4:28:14p A.... 176,167 172.04 K
rtcrt4.dll Tue Jun 14 2005 11:49:50p ..S.R 235,466 229.95 K
s32evnt1.dll Fri May 13 2005 7:50:10p A.... 91,856 89.70 K
symneti.dll Tue Apr 5 2005 11:17:04a A.... 517,848 505.71 K
symredir.dll Tue Apr 5 2005 11:17:04a A.... 132,824 129.71 K
tjaffic.dll Fri Jun 17 2005 10:23:08a ..S.R 234,784 229.28 K
uhimdmat.dll Wed Jun 15 2005 6:48:14p ..S.R 235,466 229.95 K

16 items found: 16 files (8 H/S), 0 directories.
Total of file sizes: 3,153,657 bytes 3.00 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 7CF7-E628

Directory of C:\WINDOWS\System32

06/17/2005 10:23 AM <DIR> ..
06/17/2005 10:23 AM <DIR> .
06/17/2005 10:23 AM 234,784 tjaffic.dll
06/16/2005 06:57 PM 234,784 mlaudite.dll
06/16/2005 06:57 PM 234,784 cqedui.dll
06/16/2005 12:08 AM 2 cmd.com
06/16/2005 12:08 AM 2 regedit.com
06/16/2005 12:08 AM 2 taskkill.com
06/16/2005 12:08 AM 2 tasklist.com
06/16/2005 12:08 AM 2 tracert.com
06/16/2005 12:08 AM 2 netstat.com
06/16/2005 12:08 AM 2 ping.com
06/15/2005 10:51 PM 235,466 dptmsft.dll
06/15/2005 06:48 PM 235,466 uhimdmat.dll
06/15/2005 03:10 PM 235,466 kfdcz1.dll
06/15/2005 01:57 PM 235,466 Llkrn12n.dll
06/14/2005 11:49 PM 235,466 rtcrt4.dll
06/10/2005 11:09 PM <DIR> dllcache
09/13/2004 10:28 AM 10,022 KGyGaAvL.sys
03/14/2004 08:03 PM <DIR> Microsoft
11/14/2002 05:24 PM 235,466 kvrberos.dll
09/30/1999 07:21 PM 166,672 mstext35.dll
09/28/1999 09:42 PM 1,050,896 msjet35.dll
09/09/1999 10:06 PM 168,720 msltus35.dll
09/09/1999 10:06 PM 252,688 msexcl35.dll
08/25/1999 02:57 PM 415,504 msrepl35.dll
06/10/1999 09:34 AM 123,664 msjint35.dll
06/10/1999 09:34 AM 24,848 msjter35.dll
06/07/1999 06:59 PM 250,128 mspdox35.dll
04/25/1999 05:00 PM 252,176 Msrd2x35.dll
04/25/1999 05:00 PM 287,504 Msxbse35.dll
27 File(s) 5,119,984 bytes
4 Dir(s) 15,759,499,264 bytes free
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP