Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown adware [RESOLVED]


  • This topic is locked This topic is locked

#46
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hi Swandog46,

Here are the 2 files.

Had to deviate from your instructions. When running command com as the shell, the comand prompt window disappeared afetr running fix.bat. Had to use the task manager to shut down. Rebooted and ran notepad to change the shell back to explorer in system.ini. Ran fix. bat. Again lost the command prompt. Had to use task manager to shut down. Then booted to windows explorer and continued on.

Hope that did not cause problems, but seemed the only course of action after losing any other access.

Thanks

Attached Files


  • 0

Advertisements


#47
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
OK, but you did manage to change the shell back to Explorer so that you have your desktop back when you boot? Sorry, I didn't have a Window ME machine available to test the instructions myself before sending them to you.

I am cautiously optimistic, but not quite sure what to make of these results. Because --- the standalone CLSID export you sent me is clean; no sign of the bad CLSID. And the results.txt file you sent me now contains a CLSID export, as it originally should have. However, the results.txt file DOES contain the bad CLSID. So I wonder: in what order did you perform these exports? Which came first --- the regedit CLSID export, or the results.txt file?

Can we try something? --- can you try now running my original batch, the RunThis.bat, and posting the log from that? Maybe since the second batch was able to export and find the CLSID ok, the first one will do the same. I feel like we are on to something here :tazz:
  • 0

#48
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Changed shell back ok.

Ran the export in Regedit, than the newbatch.



Her is the new log file after Runthis.bat. Have not rebooted since running newbatch.bat last night.

Do you want a reboot and a hijack this log?

Thanks
  • 0

#49
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
:tazz: Would help if I pasted before sending.

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\DESKTOP\l2m9xfix

************

Files found:

C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WNN87EM.DLL
C:\WINDOWS\system\WNN87EM.DLL
C:\WINDOWS\system\WNN87EM.DLL
C:\WINDOWS\system\WNN87EM.DLL

************

Registry entries found:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{34F7832B-5ECF-8015-69BA-023610C1B0BF}"=""


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!
  • 0

#50
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Still no good I think. I've been given another idea; let's try this. Please try the following:

1) Run regedit
2) Paste the following text into a new Notepad file, and save it as killbatch.bat (save as type: all files) in the same folder as the original L2M9xfix files:

pv -f -k Explorer.exe
pv -f -k Rundll32.exe


3) Run killbatch.bat --- your desktop will disappear but regedit should still be running.

4) Try again to delete the bad CLSID:

HKEY_CLASSES_ROOT\CLSID\{1DC178BC-76AC-4EB5-B529-DDA2417C0E4F}

Close regedit, and use Task Manager to restart your computer.

Run regedit again and see if the bad CLSID is gone. Post a new export of the HKEY_CLASSES_ROOT\CLSID key for me please.


I have one or two more ideas if this still doesn't work.
  • 0

#51
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Did not find that key in the registry. Went ahead and ran Killbatch. Shut down from task manager and restarted. Still do not see it in the registry.

With hopes up. :tazz:

Attached Files


  • 0

#52
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Really?? :tazz: (with hopes up too!)

Run my original RunThis.bat, and save the logfile. Then reboot and run it again, and save the logfile. If we really killed the CLSID this time, the first run should delete the files, and the second run should come up clean. Then post both logs for me and a new HijackThis log. :)
  • 0

#53
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Here they are.

Sat there while they were run and both times there were a series of errors referring to GREP.EXE out of memory and environment space, then another series about parameter misssing and CLSID.

Thanks




*********** log from the first run

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\DESKTOP\l2m9xfix

************

Files found:

C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WNN87EM.DLL
C:\WINDOWS\system\WNN87EM.DLL
C:\WINDOWS\system\WNN87EM.DLL
C:\WINDOWS\system\WNN87EM.DLL

************

Registry entries found:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!


***********************log from the second run

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\DESKTOP\l2m9xfix

************

Files found:

C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WNN87EM.DLL
C:\WINDOWS\system\WNN87EM.DLL
C:\WINDOWS\system\WNN87EM.DLL
C:\WINDOWS\system\WNN87EM.DLL

************

Registry entries found:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!


*************************Hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 4:57:01 PM, on 8/21/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com...load/nr1228.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0312.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#54
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
No way... this is just plain ridiculous. Even with the CLSID gone? Is it still gone? Can I see a new CLSID export?

Also, let's try this: if the CLSID is really gone and it's just the files, let's kill the files and see if they stay gone.

1) Please download the Killbox.
Unzip it to the desktop and run it.

2) Select "Delete on Reboot".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system\AEFSIPC.DLL
C:\WINDOWS\system\AZRESX32.DLL
C:\WINDOWS\system\CIL3D32.DLL
C:\WINDOWS\system\DMNMPNTW.DLL
C:\WINDOWS\system\DRSERIAL.DLL
C:\WINDOWS\system\DZMM.DLL
C:\WINDOWS\system\eyfpixexif.dll
C:\WINDOWS\system\IC1XDD.DLL
C:\WINDOWS\system\IEIRCL.DLL
C:\WINDOWS\system\IHCVID.DLL
C:\WINDOWS\system\ISWDIAL.DLL
C:\WINDOWS\system\IYIRCL.DLL
C:\WINDOWS\system\IZETCOMM.DLL
C:\WINDOWS\system\JKPL400.DLL
C:\WINDOWS\system\jlproxy.dll
C:\WINDOWS\system\Lgkrn70n.dll
C:\WINDOWS\system\LTXUSB32.DLL
C:\WINDOWS\system\LYAETK16.DLL
C:\WINDOWS\system\lzkrn11n.dll
C:\WINDOWS\system\MDTCP.DLL
C:\WINDOWS\system\MFVFW32.DLL
C:\WINDOWS\system\MMNDEX.DLL
C:\WINDOWS\system\MROTHUNK.DLL
C:\WINDOWS\system\MTVFW32.DLL
C:\WINDOWS\system\MUSIP32.DLL
C:\WINDOWS\system\NATAPI32.DLL
C:\WINDOWS\system\NNDLL.DLL
C:\WINDOWS\system\NODLL.DLL
C:\WINDOWS\system\NSTDI.DLL
C:\WINDOWS\system\oxhlp30t.dll
C:\WINDOWS\system\PTGFILT.DLL
C:\WINDOWS\system\RHCLTC6.DLL
C:\WINDOWS\system\SKFTPUB.DLL
C:\WINDOWS\system\SNI_CI.DLL
C:\WINDOWS\system\SZLAD1.dll
C:\WINDOWS\system\URBMON.DLL
C:\WINDOWS\system\VKAME.DLL
C:\WINDOWS\system\WD2THK.DLL
C:\WINDOWS\system\WJSTREAM.DLL
C:\WINDOWS\system\WNN87EM.DLL

3) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

4) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Restart your computer, and run the L2M9xfix batch again. Post the log for me... :tazz:
  • 0

#55
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
:tazz: New log does not have a list of files. Did that do it?

Attached zip Contains CLSID export before and after running killbox and l2mpxfix.

Log from L2m9fix follows.

Thanks

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\DESKTOP\l2m9xfix

************

Files found:


************

Registry entries found:



************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

Attached Files


  • 0

Advertisements


#56
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
I believe a (cautious) celebration is in order! :)

Looks like we got it, finally. Wow... :tazz:

Anyway, go ahead and connect that computer to the internet and see if you get any more popups or other symptoms of infection, and let me know. I'd also like to see one more HijackThis log for closure. :) Whew! :)
  • 0

#57
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Just got in. Can't connect his box to the net right now. Verizon has me without a land line at the moment. It's dead at the network interface. Their auto system promises to have it fixed by Wed, 5pm.

His Dell|Net/Msn signon window was open and reopens if I close it. His connection settings are set to dial whenever a network connection is not present. Not sure what is trying to phone home, but shutdown his popupstopper and it quit. Going to try and talk himout of that one anyway. Think he put it in because of look2me.


Hijack log follows

Thanks with fingers still crossed. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:58 PM, on 8/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSNDELL\MSNCOREFILES\MSN6.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com...load/nr1228.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0312.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#58
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Looks perfect to me! Let's do this: why don't you use it for a few days normally, then when you get an internet connection back, use the internet for a day or so to make sure everything works smoothly, without popups. Assuming it all seems ok, post a new HijackThis log for me on Wednesday or Thursday along with a log (hopefully still clean) from L2M9xfix. Then if all looks well I'll post some prevention recommendations for you and we'll call it closed. Thanks for sticking with me so patiently while we slugged through that mess. :tazz:

Edited by Swandog46, 22 August 2005 - 09:06 PM.

  • 0

#59
ewisniew

ewisniew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Looking Good :tazz: No popups.

Logs Follow.

:)

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\DESKTOP\l2m9xfix

************

Files found:


************

Registry entries found:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!





Logfile of HijackThis v1.99.1
Scan saved at 9:18:52 PM, on 8/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com...load/nr1228.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0312.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#60
Swandog46

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Everything looks great --- your HijackThis log is completely clean. :)
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at GTG are to help you, for your sake we would rather not have repeat customers. :tazz:

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Kerio, or Sygate.
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP