Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

BookedSpace et al. on Windows ME [RESOLVED]


  • This topic is locked This topic is locked

#46
gambit293

gambit293

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Finally, here is one more Panda log. It looks like many of the remaining finds are from the l2m9xfix quarantine folder. Should I flat out delete that folder now?

For some reason, although killbox appears to have worked, the files it deleted ended up in the _RESTORE folder, but I can clear that out myself using the directions you described.

(If you're curious, Windows ME System Restore can be toggled via: My Computer > Properties > Performance Tab > File System button > Troubleshooting tab)

Here's the panda log. I have no idea what that winupdt.008 file is.

Thanks!

-Andrew

Incident Status Location

Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.008
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\ABV01W9X.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\ALICAP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\CBTDLL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\CUFG95.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\GWDEF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\HQSJMCRO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\HUACTIVE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\HXDCI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\imv16.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\JDSH400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\LAAD50.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\LGAD50.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\ltawd80n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\lvgif80n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\MBWDAT10.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\MEACM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\MJNP32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\MWRSERV.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\OQSSQ400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\Pabole32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\PHFMGR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\PND.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\QRUT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\SHMSCRPT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\Stp.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\viar332.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\WDI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\WGASERVC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\DESKTOP\l2m9xfix\backups\WXNINET.DLL
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\TEMP\QBUNIN~1.0
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\INSTAL~2.0
Adware:Adware/Searchforit No disinfected C:\_RESTORE\TEMP\CA2.0
Adware:Adware/DealHelper No disinfected C:\_RESTORE\TEMP\BRWJTN.0
Adware:Adware/DealHelper No disinfected C:\_RESTORE\TEMP\LHYZBK.0
Adware:Adware/BookedSpace No disinfected C:\_RESTORE\TEMP\CFGMGR52.0
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\TEMP\BANNER.0
Adware:Adware/DelFinMedia No disinfected C:\_RESTORE\TEMP\REMOVE~1.0
Possible Virus. No disinfected C:\_RESTORE\TEMP\PROCES~1.0
  • 0

Advertisements


#47
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

The backup files are fine, they are there just in case you need something that was fixed.

Your Computer looks clean to me. Please post a HiJackThis log for me to look at and I will make sure everything is ok.
  • 0

#48
gambit293

gambit293

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hey Justin,

Here is one more Hijack log.

I look forward to the thumbs up from you!

Thanks.

-Andrew

Logfile of HijackThis v1.99.1
Scan saved at 8:53:28 AM, on 8/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\B'S CLIP\BSCLIP.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\QUICKENW\QWDLLS.EXE
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE
C:\PROGRAM FILES\TM1184\CONTROLUTILITY\CONTROLUTILITY.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\BSCLIP.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\RunDLL32.exe C:\PROGRA~1\OFOTO\OFOTONOW\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\imgicon.exe
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: Dell Control Utility.lnk = C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBDIRECT\FLOWHOOK.DLL
  • 0

#49
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Your HiJackThis log if Clean! That was a tough infection. Thank you for sticking with me and not reformating. :tazz:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#50
gambit293

gambit293

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
That came down to the wire. I just dropped the computer off at my parents' home in Cleveland this morning, and it's now two hours away from me. So I wouldn't have been able to do any more to it anyway.

Thanks, again, for all your help and time on this!

Best wishes.

-Andrew
  • 0

#51
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Glad I could help Andrew. :tazz:

Best Wishes,
  • 0

#52
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP