Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spysheriff, Blue Desktop, and other problems. [RESOLVED]

Started by Evan R , Aug 02 2005 10:42 PM

  • This topic is locked This topic is locked

#16
greyknight17
Posted 08 August 2005 - 01:44 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Oh my ;)

Are you sure Panda ActiveScan doesn't work? That online scan usually will help us remove a bunch of these.

OK, took a short while, but I sorted it out for you so you don't need to pull your hair out weeding out those files :tazz:

Do this:

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINDOWS\bjgygfet.exe
C:\WINDOWS\SYSTEM\DFDMO.DLL
C:\WINDOWS\SYSTEM\PNPD.DLL
C:\iid.exe
C:\Osaka.exe
C:\PROGRA~1\TCSR\BETT.EXE
C:\PROGRA~1\TCSR\
C:\thin-175-1-x-x.exe
C:\WINDOWS\bjgygfet.exe
C:\WINDOWS\ru.exe
C:\WINDOWS\SYSTEM\APVAPI32.DLL
C:\WINDOWS\SYSTEM\AVYCFILT.DLL
C:\WINDOWS\SYSTEM\bett.exe
C:\WINDOWS\SYSTEM\bsva-egihsg52.exe
C:\WINDOWS\SYSTEM\CEFG95.DLL
C:\WINDOWS\SYSTEM\CIUTIL.DLL
C:\WINDOWS\SYSTEM\DBDMO.DLL
C:\WINDOWS\SYSTEM\DC7VB.DLL
C:\WINDOWS\SYSTEM\DDVMGR32.DLL
C:\WINDOWS\SYSTEM\DFDMO.DLL
C:\WINDOWS\SYSTEM\DQ3J.DLL
C:\WINDOWS\SYSTEM\DXUSIC16.DLL
C:\WINDOWS\SYSTEM\EDowST3.exe
C:\WINDOWS\SYSTEM\GSM3-0511.exe
C:\WINDOWS\SYSTEM\HZINK.DLL
C:\WINDOWS\SYSTEM\IOS.DLL
C:\WINDOWS\SYSTEM\iwkdy.dll
C:\WINDOWS\SYSTEM\JVMD400.DLL
C:\WINDOWS\SYSTEM\LDCMP11n.DLL
C:\WINDOWS\SYSTEM\mivcp71.dll
C:\WINDOWS\SYSTEM\MNSWCH.DLL
C:\WINDOWS\SYSTEM\MNWSTR10.DLL
C:\WINDOWS\SYSTEM\mrjter35.dll
C:\WINDOWS\SYSTEM\muieftp.dll
C:\WINDOWS\SYSTEM\mwieftp.dll
C:\WINDOWS\SYSTEM\NWTOS.DLL
C:\WINDOWS\SYSTEM\package_MARKETING51.exe
C:\WINDOWS\SYSTEM\PNPD.DLL
C:\WINDOWS\SYSTEM\RDCHED20.DLL
C:\WINDOWS\SYSTEM\RXUTETAB.DLL
C:\WINDOWS\SYSTEM\thin-138-1-x-x.exe
C:\WINDOWS\SYSTEM\THPI.DLL
C:\WINDOWS\SYSTEM\ventura-hot_246765.exe
C:\WINDOWS\SYSTEM\VFODCTL.DLL
C:\WINDOWS\SYSTEM\VUPODBC.DLL
C:\WINDOWS\SYSTEM\WNNMM.DLL
C:\WINDOWS\SYSTEM\WPPUI.DLL
C:\WINDOWS\SYSTEM\wpspdmod.dll
C:\WINDOWS\SYSTEM\XMNROLL.DLL
C:\Hijack this\backups\backup-20050804-171903-415.dll

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart. Delete this folder if it's still there -> C:\PROGRA~1\TCSR\

Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back and uncheck that same box now to enable system restore.

Upload this file (C:\Program Files\Windows Media Player\wmplayer.exe) to http://virusscan.jotti.org and report back what it found.

Try running Panda again and post the log here. If it's still giving you problems, run TrendMicro and mwav again and post those logs.
  • 0

Advertisements

#17
Evan R
Posted 08 August 2005 - 04:26 PM

Evan R

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I uploaded the Media Player file and this is the report:


File: wmplayer.exe
Status: INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5 974fbadbbcbc9ad678920ae1a9345649
Packers detected: UPX

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.BYN
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Pacer.e
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/Pacer.E
UNA Found nothing
VBA32 Found AdWare.Pacer.e



I'm going to try the panda scan again right now.

Edited by Evan R, 08 August 2005 - 04:26 PM.

  • 0

#18
Evan R
Posted 08 August 2005 - 05:08 PM

Evan R

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here's the panda report. I didn't see any box to check to delete files so I don't know if the scan actually removed anything.


Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DTCPROP2.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PNPD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DDVMGR32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WNNMM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CIUTIL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NWTOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DBDMO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\APVAPI32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CEFG95.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RDCHED20.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\HZINK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VFODCTL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DQ3J.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RXUTETAB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\THPI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DXUSIC16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\XMNROLL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VUPODBC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LDCMP11n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mivcp71.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WPPUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MNWSTR10.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DC7VB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mwieftp.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\muieftp.dll
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM\stlb2.xml
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DFDMO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\JVMD400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mrjter35.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AVYCFILT.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\iwkdy.dll
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM\vx.tll
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\SYSTEM\EDowST3.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wpspdmod.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\TEMP\!update.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavF1F2.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1183.TMP
Adware:Adware/PurityScan No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\7014F44P\!update-2264[1].0000
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bjgygfet.exe
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Virus:Trj/Downloader.BYN Disinfected C:\Program Files\Windows Media Player\wmplayer.exe
Adware:Adware/PurityScan No disinfected C:\Program Files\tcsr\bett.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/Look2Me No disinfected C:\temp\Installer.exe
Adware:Adware/BookedSpace No disinfected C:\Hijack this\backups\backup-20050804-171903-415.dll
Adware:Adware/PurityScan No disinfected C:\iid.exe
  • 0

#19
greyknight17
Posted 08 August 2005 - 08:31 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you use KillBox to delete those files I asked to delete earlier? If not, do so now.

Then do this:

Please download l2m9xfix at http://www.geekstogo...ds/l2m9xfix.exe

Save it to the desktop and run it. Extract the files. Then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then restart your computer, and post a new HijackThis log, a new Panda scan log, as well as the log.txt file which should be in the same folder as RunThis.bat.
  • 0

#20
Evan R
Posted 09 August 2005 - 10:55 AM

Evan R

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here are my logs:

Logfile of HijackThis v1.99.1
Scan saved at 12:52:05 PM, on 8/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPZTSB09.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.co...4065631-5572906
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Gateway Ink Monitor] C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Noha] C:\Program Files\tcsr\bett.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/s...an/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab


Pandascan:


Incident Status Location

Adware:Adware/Midaddle No disinfected C:\_RESTORE\TEMP\A0000061.CPY
Adware:Adware/Midaddle No disinfected C:\_RESTORE\TEMP\A0000062.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\HIZRM109.0
Adware:Adware/Midaddle No disinfected C:\_RESTORE\TEMP\A0000079.CPY
Adware:Adware/Midaddle No disinfected C:\_RESTORE\TEMP\A0000080.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000157.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000159.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000161.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000163.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000165.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000167.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000169.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000171.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000173.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000175.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000177.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000179.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000181.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000183.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000185.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000187.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000189.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000191.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000193.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000195.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000197.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000199.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000201.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000203.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000205.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000207.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000209.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000211.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000213.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000215.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000217.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0000219.CPY
Adware:Adware/Midaddle No disinfected C:\_RESTORE\TEMP\A0000223.CPY
Adware:Adware/Midaddle No disinfected C:\_RESTORE\TEMP\A0000224.CPY
Adware:Adware/Midaddle No disinfected C:\_RESTORE\TEMP\A0000227.CPY
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM\stlb2.xml
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\iwkdy.dll
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM\vx.tll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Possible Virus. No disinfected C:\WINDOWS\TEMP\!update.exe
Adware:Adware/Midaddle No disinfected C:\WINDOWS\TEMP\pav008D.TMP
Adware:Adware/Midaddle No disinfected C:\WINDOWS\TEMP\pav91.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav009C.TMP
Adware:Adware/Midaddle No disinfected C:\WINDOWS\TEMP\pav95.TMP
Adware:Adware/Midaddle No disinfected C:\WINDOWS\TEMP\pavA0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav0124.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav120.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav122.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav125.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav132.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav135.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav140.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav143.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav150.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav151.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav153.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav160.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav161.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav164.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav170.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav172.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav174.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav180.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav183.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav186.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav192.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav195.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1A2.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1A4.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1B0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1B3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1C0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1C3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1C5.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1D3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1E2.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav1E4.TMP
Adware:Adware/Midaddle No disinfected C:\WINDOWS\TEMP\pav01F2.TMP
Adware:Adware/Midaddle No disinfected C:\WINDOWS\TEMP\pav1F2.TMP
Adware:Adware/Midaddle No disinfected C:\WINDOWS\TEMP\pav01F4.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\APVAPI32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\AVYCFILT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\CEFG95.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\CIUTIL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DBDMO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DC7VB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DDVMGR32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DFDMO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DKDIM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DQ3J.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DXUSIC16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\HZINK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\IOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\JVMD400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\LDCMP11n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\MGRECR40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\mivcp71.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\MNWSTR10.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\mrjter35.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\muieftp.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\mwieftp.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\NWTOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\PNPD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\RDCHED20.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\RXUTETAB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\THPI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\VFODCTL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\VUPODBC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\WNNMM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\WPPUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\wpspdmod.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\XMNROLL.DLL
Possible Virus. No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\UG753BFY\!update-2344[1].0000
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bjgygfet.exe
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Virus:Trj/Downloader.BYN Disinfected C:\Program Files\Windows Media Player\wmplayer.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/Look2Me No disinfected C:\temp\Installer.exe
Adware:Adware/BookedSpace No disinfected C:\Hijack this\backups\backup-20050804-171903-415.dll
Adware:Adware/PurityScan No disinfected C:\iid.exe

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix

************

Files found:

C:\WINDOWS\system\APVAPI32.DLL
C:\WINDOWS\system\APVAPI32.DLL
C:\WINDOWS\system\APVAPI32.DLL
C:\WINDOWS\system\APVAPI32.DLL
C:\WINDOWS\system\AVYCFILT.DLL
C:\WINDOWS\system\AVYCFILT.DLL
C:\WINDOWS\system\AVYCFILT.DLL
C:\WINDOWS\system\AVYCFILT.DLL
C:\WINDOWS\system\CEFG95.DLL
C:\WINDOWS\system\CEFG95.DLL
C:\WINDOWS\system\CEFG95.DLL
C:\WINDOWS\system\CEFG95.DLL
C:\WINDOWS\system\CIUTIL.DLL
C:\WINDOWS\system\CIUTIL.DLL
C:\WINDOWS\system\CIUTIL.DLL
C:\WINDOWS\system\CIUTIL.DLL
C:\WINDOWS\system\DBDMO.DLL
C:\WINDOWS\system\DBDMO.DLL
C:\WINDOWS\system\DBDMO.DLL
C:\WINDOWS\system\DBDMO.DLL
C:\WINDOWS\system\DC7VB.DLL
C:\WINDOWS\system\DC7VB.DLL
C:\WINDOWS\system\DC7VB.DLL
C:\WINDOWS\system\DC7VB.DLL
C:\WINDOWS\system\DDVMGR32.DLL
C:\WINDOWS\system\DDVMGR32.DLL
C:\WINDOWS\system\DDVMGR32.DLL
C:\WINDOWS\system\DDVMGR32.DLL
C:\WINDOWS\system\DFDMO.DLL
C:\WINDOWS\system\DFDMO.DLL
C:\WINDOWS\system\DFDMO.DLL
C:\WINDOWS\system\DFDMO.DLL
C:\WINDOWS\system\DKDIM.DLL
C:\WINDOWS\system\DKDIM.DLL
C:\WINDOWS\system\DKDIM.DLL
C:\WINDOWS\system\DKDIM.DLL
C:\WINDOWS\system\DQ3J.DLL
C:\WINDOWS\system\DQ3J.DLL
C:\WINDOWS\system\DQ3J.DLL
C:\WINDOWS\system\DQ3J.DLL
C:\WINDOWS\system\DXUSIC16.DLL
C:\WINDOWS\system\DXUSIC16.DLL
C:\WINDOWS\system\DXUSIC16.DLL
C:\WINDOWS\system\DXUSIC16.DLL
C:\WINDOWS\system\HZINK.DLL
C:\WINDOWS\system\HZINK.DLL
C:\WINDOWS\system\HZINK.DLL
C:\WINDOWS\system\HZINK.DLL
C:\WINDOWS\system\IOS.DLL
C:\WINDOWS\system\IOS.DLL
C:\WINDOWS\system\IOS.DLL
C:\WINDOWS\system\IOS.DLL
C:\WINDOWS\system\JVMD400.DLL
C:\WINDOWS\system\JVMD400.DLL
C:\WINDOWS\system\JVMD400.DLL
C:\WINDOWS\system\JVMD400.DLL
C:\WINDOWS\system\LDCMP11n.DLL
C:\WINDOWS\system\LDCMP11n.DLL
C:\WINDOWS\system\LDCMP11n.DLL
C:\WINDOWS\system\LDCMP11n.DLL
C:\WINDOWS\system\MGRECR40.DLL
C:\WINDOWS\system\MGRECR40.DLL
C:\WINDOWS\system\MGRECR40.DLL
C:\WINDOWS\system\MGRECR40.DLL
C:\WINDOWS\system\mivcp71.dll
C:\WINDOWS\system\mivcp71.dll
C:\WINDOWS\system\mivcp71.dll
C:\WINDOWS\system\mivcp71.dll
C:\WINDOWS\system\MNWSTR10.DLL
C:\WINDOWS\system\MNWSTR10.DLL
C:\WINDOWS\system\MNWSTR10.DLL
C:\WINDOWS\system\MNWSTR10.DLL
C:\WINDOWS\system\mrjter35.dll
C:\WINDOWS\system\mrjter35.dll
C:\WINDOWS\system\mrjter35.dll
C:\WINDOWS\system\mrjter35.dll
C:\WINDOWS\system\muieftp.dll
C:\WINDOWS\system\muieftp.dll
C:\WINDOWS\system\muieftp.dll
C:\WINDOWS\system\muieftp.dll
C:\WINDOWS\system\mwieftp.dll
C:\WINDOWS\system\mwieftp.dll
C:\WINDOWS\system\mwieftp.dll
C:\WINDOWS\system\mwieftp.dll
C:\WINDOWS\system\NWTOS.DLL
C:\WINDOWS\system\NWTOS.DLL
C:\WINDOWS\system\NWTOS.DLL
C:\WINDOWS\system\NWTOS.DLL
C:\WINDOWS\system\PNPD.DLL
C:\WINDOWS\system\PNPD.DLL
C:\WINDOWS\system\PNPD.DLL
C:\WINDOWS\system\PNPD.DLL
C:\WINDOWS\system\RDCHED20.DLL
C:\WINDOWS\system\RDCHED20.DLL
C:\WINDOWS\system\RDCHED20.DLL
C:\WINDOWS\system\RDCHED20.DLL
C:\WINDOWS\system\RXUTETAB.DLL
C:\WINDOWS\system\RXUTETAB.DLL
C:\WINDOWS\system\RXUTETAB.DLL
C:\WINDOWS\system\RXUTETAB.DLL
C:\WINDOWS\system\THPI.DLL
C:\WINDOWS\system\THPI.DLL
C:\WINDOWS\system\THPI.DLL
C:\WINDOWS\system\THPI.DLL
C:\WINDOWS\system\VFODCTL.DLL
C:\WINDOWS\system\VFODCTL.DLL
C:\WINDOWS\system\VFODCTL.DLL
C:\WINDOWS\system\VFODCTL.DLL
C:\WINDOWS\system\VUPODBC.DLL
C:\WINDOWS\system\VUPODBC.DLL
C:\WINDOWS\system\VUPODBC.DLL
C:\WINDOWS\system\VUPODBC.DLL
C:\WINDOWS\system\WNNMM.DLL
C:\WINDOWS\system\WNNMM.DLL
C:\WINDOWS\system\WNNMM.DLL
C:\WINDOWS\system\WNNMM.DLL
C:\WINDOWS\system\WPPUI.DLL
C:\WINDOWS\system\WPPUI.DLL
C:\WINDOWS\system\WPPUI.DLL
C:\WINDOWS\system\WPPUI.DLL
C:\WINDOWS\system\wpspdmod.dll
C:\WINDOWS\system\wpspdmod.dll
C:\WINDOWS\system\wpspdmod.dll
C:\WINDOWS\system\wpspdmod.dll
C:\WINDOWS\system\XMNROLL.DLL
C:\WINDOWS\system\XMNROLL.DLL
C:\WINDOWS\system\XMNROLL.DLL
C:\WINDOWS\system\XMNROLL.DLL

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{329EC799-1E8B-4FF8-AB5C-8A1BC0B9516E}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\DFDMO.DLL"
[HKEY_CLASSES_ROOT\CLSID\{329EC799-1E8B-4FF8-AB5C-8A1BC0B9516E}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\DFDMO.DLL"
[HKEY_CLASSES_ROOT\CLSID\{329EC799-1E8B-4FF8-AB5C-8A1BC0B9516E}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\DFDMO.DLL"
[HKEY_CLASSES_ROOT\CLSID\{329EC799-1E8B-4FF8-AB5C-8A1BC0B9516E}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\DFDMO.DLL"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A223B75-F232-8217-09A7-B6E673C6D304}"=""


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!
  • 0

#21
greyknight17
Posted 09 August 2005 - 12:56 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back and uncheck that same box now.

Check and fix this in HijackThis:

O4 - HKCU\..\Run: [Noha] C:\Program Files\tcsr\bett.exe

Delete these if found:

C:\WINDOWS\SYSTEM\Shex.exe
C:\WINDOWS\SYSTEM\stlb2.xml
C:\WINDOWS\SYSTEM\iwkdy.dll
C:\WINDOWS\SYSTEM\vx.tll
C:\WINDOWS\SYSTEM\QBUninstaller.exe
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\bjgygfet.exe
C:\WINDOWS\ru.exe
C:\Program Files\Aprps\
C:\Hijack this\backups\backup-20050804-171903-415.dll
C:\iid.exe
C:\Program Files\tcsr\

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart and post a new HijackThis log and Panda log.
  • 0

#22
Evan R
Posted 09 August 2005 - 02:54 PM

Evan R

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi, I did what you said and I was able to delete all the files you mentioned except for C:\WINDOWS\ru.exe which I could not find. Here are my logs:

Logfile of HijackThis v1.99.1
Scan saved at 4:51:14 PM, on 8/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPZTSB09.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.co...4065631-5572906
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Gateway Ink Monitor] C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/s...an/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab




Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\APVAPI32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\AVYCFILT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\CEFG95.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\CIUTIL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DBDMO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DC7VB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DDVMGR32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DFDMO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DKDIM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DQ3J.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DXUSIC16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\HZINK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\IOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\JVMD400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\LDCMP11n.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\MGRECR40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\mivcp71.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\MNWSTR10.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\mrjter35.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\muieftp.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\mwieftp.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\NWTOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\PNPD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\RDCHED20.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\RXUTETAB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\THPI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\VFODCTL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\VUPODBC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\WNNMM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\WPPUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\wpspdmod.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\XMNROLL.DLL
Adware:Adware/Look2Me No disinfected C:\temp\Installer.exe
  • 0

#23
greyknight17
Posted 09 August 2005 - 07:20 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

You may delete all the backup files in this folder:

C:\WINDOWS\Desktop\l2m9xfix\backups\

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#24
Evan R
Posted 09 August 2005 - 08:33 PM

Evan R

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
My computer has run better today than it has in weeks! Not a single popup all day, no problems whatsoever. Thank you very much for all your time and help. I'm very grateful. The work you folks are doing here is fantastic.

By the way, should I keep all these programs on my desktop? Mwav, killbox, smitrem, wininet.dll?
  • 0

#25
greyknight17
Posted 10 August 2005 - 07:47 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi there, yes you may delete all those on your desktop. They are not needed anymore.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP