Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AD Popups [RESOLVED]

Started by motomem , Aug 20 2005 11:24 AM

  • This topic is locked This topic is locked

#16
motomem
Posted 23 August 2005 - 10:16 PM

motomem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok, well, I couldn't wait. I renamed the files with a .bak extension and rebooted to make sure of no adverse affects during bootup. There were none so I deleted the files, removed them from Recycle, cleaned the registry (RegSupreme Pro), and rebooted. And, I'm still getting popups... lol.

Here's a new Findit log:


Windows 98 [Version 4.10.2222]

Current date is Tue 08-23-2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.


Volume in drive C is 40GIG
Volume Serial Number is 1A2B-1CE2
Directory of C:\WINDOWS\SYSTEM32

33,079.63 MB free
»»»»» Checking for SAHAgent ico files.

Volume in drive C is 40GIG
Volume Serial Number is 1A2B-1CE2
Directory of C:\WINDOWS\SYSTEM32

33,079.63 MB free

»»»»»»»»»»»»»»»»»»»»»»»».

Thanks. John.
  • 0

Advertisements

#17
don77
Posted 24 August 2005 - 04:47 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Could you please post back a fresh HJT log
Also
Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#18
motomem
Posted 24 August 2005 - 08:53 PM

motomem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:53:44 PM, on 8/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\GENERIC\6-IN-1 USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INFOGRAMES\ATARI ANNIVERSARY EDITION\VOLUME 2\ATARI ICON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\LOTUS\WORDPRO\LTSSTART.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PERSONAL_DATA\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O15 - Trusted Zone: *.smokeybones.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://labor.darden.com/cab/smsx.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com...tiveXWebCam.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

= = = = = = = = = = = = = = = = =

And here is the Silent Runners log:

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"CountrySelection" = "pctptt.exe" [file not found]
"PTSNOOP" = "ptsnoop.exe" [null data]
"MediaFace Integration" = "C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" ["Fellowes, Inc."]
"Disk Monitor" = "C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7\Disk_Monitor.exe" ["Neodio Corp."]
"CriticalUpdate" = "C:\WINDOWS\SYSTEM\wucrtupd.exe -startup" [MS]
"LVComs" = "C:\WINDOWS\SYSTEM\LVComS.exe" ["Logitech Inc."]
"DXM6Patch_981116" = "C:\WINDOWS\p_981116.exe /Q:A" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"Atari Launcher 2" = "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe" ["Infogrames "]
"AtariBanner" = ""C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0" ["Infogrames "]
"Logitech Utility" = "LOGI_MWX.EXE" ["Logitech Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: [email protected]"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{2b232f20-fa0d-11d1-8a3e-00c0f64105cd}" = "Shuttle Shell Extension for Drive"
-> {CLSID}\InProcServer32\(Default) = "stlhook.dll" ["SCM Microsystems Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Billminder" -> shortcut to: "C:\QUICKENW\billmind.exe" ["Intuit"]
"Lotus QuickStart" -> shortcut to: "C:\lotus\wordpro\ltsstart.exe" ["Lotus Development Corporation"]
"Lotus SmartSuite 97 Registration" -> shortcut to: "C:\lotus\register\remind32.exe" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"HotSync Manager" -> shortcut to: "C:\Palm\HOTSYNC.EXE" ["Palm, Inc."]
"Logitech Desktop Messenger" -> shortcut to: "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"]


Enabled Scheduled Tasks:
------------------------

"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]
"Tune-up Application Start" -> launches: "walign" [MS]
"Windows Critical Update Notification" -> launches: "C:\WINDOWS\SYSTEM\WUCRTUPD.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL" ["Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL" ["Yahoo! Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRAM FILES\AIM\AIM.EXE" ["America Online, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 13 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 7 seconds.
---------- (total run time: 41 seconds)


Thanks, John.
  • 0

#19
don77
Posted 25 August 2005 - 05:18 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi John,
Could you run this online scan please ActiveScan

Post back what it finds please
  • 0

#20
motomem
Posted 25 August 2005 - 08:25 PM

motomem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey Don77,

Ok, here is the ActiveScan results:



Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RJGWIZC.DLL
Security Risk:Application/RestartNo disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IXSETUP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYWIZDLL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DNDRAMP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MPNETOBJ.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RDGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MBTEXT40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OOFIL400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ONEACC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MLCAT32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ATDENC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WY2THK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MAWSTR10.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CORDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VAAME.DLL
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lhbas09.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mvdxmlc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MCLOCUSR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SDVID.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MJ3216.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\pycrt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NTNDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WT2THK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\jisd400.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MGCANS32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lldxf13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MTSIP32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GKU32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lxfpx7.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VM5DB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\BHVPD95A.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SXVID.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Lqonardo da Vinci.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RBSAPI16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SXI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lxdrw13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\rhboex32.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\pgdhuf.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav2331.TMP
Security Risk:Application/RestartNo disinfected C:\WINDOWS\TEMP\pav3176.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4052.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4053.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4064.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4065.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4185.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav41A2.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav41C2.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav41E0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav41E5.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav41F1.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav41F5.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4201.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4202.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4211.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4233.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4235.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4241.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4255.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4262.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4264.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4265.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4273.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav42A0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav42A3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav42F0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4333.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4335.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4341.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4342.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4344.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4345.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4350.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4353.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4355.TMP
Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\Application Data\Sskknwrd.dll
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/Funcade No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\YRE7Q1A3\installer_VENDARE4[1].cab[installer_VENDARE4.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\MHFKTGR2\CAXKDY3P.HTM
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\KPCZO307\rosexactpop[1].html
Adware:Adware/EnhSrch No disinfected C:\WINDOWS\dsr.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccK.exe
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccess.exe
Thanks so much, John.
  • 0

#21
don77
Posted 27 August 2005 - 07:05 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK John thats what we were looking for,
Please download L2m9xfix here:
http://swandog46.gee...om/l2m9xfix.exe

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

Also could you run Active scan again please after you reboot and post back what it finds along with the HJT and L2M log.txt please
  • 0

#22
motomem
Posted 27 August 2005 - 10:29 AM

motomem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok, the run and reboot is complete. YAY!!! It seems the popups are GONE!!!! It takes a while for the ActiveScan to run, at least 10 minutes, and no popups came up which they usually did. Let me know if there are any other files I can delete.


Here is the log from l2m9xfix:

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix

************

Files found:

C:\WINDOWS\system\ATDENC32.DLL
C:\WINDOWS\system\ATDENC32.DLL
C:\WINDOWS\system\ATDENC32.DLL
C:\WINDOWS\system\ATDENC32.DLL
C:\WINDOWS\system\BHVPD95A.DLL
C:\WINDOWS\system\BHVPD95A.DLL
C:\WINDOWS\system\BHVPD95A.DLL
C:\WINDOWS\system\BHVPD95A.DLL
C:\WINDOWS\system\BYACKBOX.DLL
C:\WINDOWS\system\BYACKBOX.DLL
C:\WINDOWS\system\BYACKBOX.DLL
C:\WINDOWS\system\BYACKBOX.DLL
C:\WINDOWS\system\CORDS.DLL
C:\WINDOWS\system\CORDS.DLL
C:\WINDOWS\system\CORDS.DLL
C:\WINDOWS\system\CORDS.DLL
C:\WINDOWS\system\DNDRAMP.DLL
C:\WINDOWS\system\DNDRAMP.DLL
C:\WINDOWS\system\DNDRAMP.DLL
C:\WINDOWS\system\DNDRAMP.DLL
C:\WINDOWS\system\FFPWPP.DLL
C:\WINDOWS\system\FFPWPP.DLL
C:\WINDOWS\system\FFPWPP.DLL
C:\WINDOWS\system\FFPWPP.DLL
C:\WINDOWS\system\GKU32.DLL
C:\WINDOWS\system\GKU32.DLL
C:\WINDOWS\system\GKU32.DLL
C:\WINDOWS\system\GKU32.DLL
C:\WINDOWS\system\IXSETUP.DLL
C:\WINDOWS\system\IXSETUP.DLL
C:\WINDOWS\system\IXSETUP.DLL
C:\WINDOWS\system\IXSETUP.DLL
C:\WINDOWS\system\jisd400.dll
C:\WINDOWS\system\jisd400.dll
C:\WINDOWS\system\jisd400.dll
C:\WINDOWS\system\jisd400.dll
C:\WINDOWS\system\lhbas09.dll
C:\WINDOWS\system\lhbas09.dll
C:\WINDOWS\system\lhbas09.dll
C:\WINDOWS\system\lhbas09.dll
C:\WINDOWS\system\lldxf13n.dll
C:\WINDOWS\system\lldxf13n.dll
C:\WINDOWS\system\lldxf13n.dll
C:\WINDOWS\system\lldxf13n.dll
C:\WINDOWS\system\Lqonardo da Vinci.dll
C:\WINDOWS\system\Lqonardo da Vinci.dll
C:\WINDOWS\system\Lqonardo da Vinci.dll
C:\WINDOWS\system\Lqonardo da Vinci.dll
C:\WINDOWS\system\lxdrw13n.dll
C:\WINDOWS\system\lxdrw13n.dll
C:\WINDOWS\system\lxdrw13n.dll
C:\WINDOWS\system\lxdrw13n.dll
C:\WINDOWS\system\lxfpx7.dll
C:\WINDOWS\system\lxfpx7.dll
C:\WINDOWS\system\lxfpx7.dll
C:\WINDOWS\system\lxfpx7.dll
C:\WINDOWS\system\MAWSTR10.DLL
C:\WINDOWS\system\MAWSTR10.DLL
C:\WINDOWS\system\MAWSTR10.DLL
C:\WINDOWS\system\MAWSTR10.DLL
C:\WINDOWS\system\MBTEXT40.DLL
C:\WINDOWS\system\MBTEXT40.DLL
C:\WINDOWS\system\MBTEXT40.DLL
C:\WINDOWS\system\MBTEXT40.DLL
C:\WINDOWS\system\MCLOCUSR.DLL
C:\WINDOWS\system\MCLOCUSR.DLL
C:\WINDOWS\system\MCLOCUSR.DLL
C:\WINDOWS\system\MCLOCUSR.DLL
C:\WINDOWS\system\MGCANS32.DLL
C:\WINDOWS\system\MGCANS32.DLL
C:\WINDOWS\system\MGCANS32.DLL
C:\WINDOWS\system\MGCANS32.DLL
C:\WINDOWS\system\MJ3216.DLL
C:\WINDOWS\system\MJ3216.DLL
C:\WINDOWS\system\MJ3216.DLL
C:\WINDOWS\system\MJ3216.DLL
C:\WINDOWS\system\MLCAT32.DLL
C:\WINDOWS\system\MLCAT32.DLL
C:\WINDOWS\system\MLCAT32.DLL
C:\WINDOWS\system\MLCAT32.DLL
C:\WINDOWS\system\MPNETOBJ.DLL
C:\WINDOWS\system\MPNETOBJ.DLL
C:\WINDOWS\system\MPNETOBJ.DLL
C:\WINDOWS\system\MPNETOBJ.DLL
C:\WINDOWS\system\MTSIP32.DLL
C:\WINDOWS\system\MTSIP32.DLL
C:\WINDOWS\system\MTSIP32.DLL
C:\WINDOWS\system\MTSIP32.DLL
C:\WINDOWS\system\mvdxmlc.dll
C:\WINDOWS\system\mvdxmlc.dll
C:\WINDOWS\system\mvdxmlc.dll
C:\WINDOWS\system\mvdxmlc.dll
C:\WINDOWS\system\ngwdmcpl.dll
C:\WINDOWS\system\ngwdmcpl.dll
C:\WINDOWS\system\ngwdmcpl.dll
C:\WINDOWS\system\ngwdmcpl.dll
C:\WINDOWS\system\NTNDS.DLL
C:\WINDOWS\system\NTNDS.DLL
C:\WINDOWS\system\NTNDS.DLL
C:\WINDOWS\system\NTNDS.DLL
C:\WINDOWS\system\ONEACC.DLL
C:\WINDOWS\system\ONEACC.DLL
C:\WINDOWS\system\ONEACC.DLL
C:\WINDOWS\system\ONEACC.DLL
C:\WINDOWS\system\OOFIL400.DLL
C:\WINDOWS\system\OOFIL400.DLL
C:\WINDOWS\system\OOFIL400.DLL
C:\WINDOWS\system\OOFIL400.DLL
C:\WINDOWS\system\pycrt.dll
C:\WINDOWS\system\pycrt.dll
C:\WINDOWS\system\pycrt.dll
C:\WINDOWS\system\pycrt.dll
C:\WINDOWS\system\RBSAPI16.DLL
C:\WINDOWS\system\RBSAPI16.DLL
C:\WINDOWS\system\RBSAPI16.DLL
C:\WINDOWS\system\RBSAPI16.DLL
C:\WINDOWS\system\RDGWIZC.DLL
C:\WINDOWS\system\RDGWIZC.DLL
C:\WINDOWS\system\RDGWIZC.DLL
C:\WINDOWS\system\RDGWIZC.DLL
C:\WINDOWS\system\rhboex32.dll
C:\WINDOWS\system\rhboex32.dll
C:\WINDOWS\system\rhboex32.dll
C:\WINDOWS\system\rhboex32.dll
C:\WINDOWS\system\RJGWIZC.DLL
C:\WINDOWS\system\RJGWIZC.DLL
C:\WINDOWS\system\RJGWIZC.DLL
C:\WINDOWS\system\RJGWIZC.DLL
C:\WINDOWS\system\SDVID.DLL
C:\WINDOWS\system\SDVID.DLL
C:\WINDOWS\system\SDVID.DLL
C:\WINDOWS\system\SDVID.DLL
C:\WINDOWS\system\SXI.DLL
C:\WINDOWS\system\SXI.DLL
C:\WINDOWS\system\SXI.DLL
C:\WINDOWS\system\SXI.DLL
C:\WINDOWS\system\SXVID.DLL
C:\WINDOWS\system\SXVID.DLL
C:\WINDOWS\system\SXVID.DLL
C:\WINDOWS\system\SXVID.DLL
C:\WINDOWS\system\VAAME.DLL
C:\WINDOWS\system\VAAME.DLL
C:\WINDOWS\system\VAAME.DLL
C:\WINDOWS\system\VAAME.DLL
C:\WINDOWS\system\VM5DB.DLL
C:\WINDOWS\system\VM5DB.DLL
C:\WINDOWS\system\VM5DB.DLL
C:\WINDOWS\system\VM5DB.DLL
C:\WINDOWS\system\WCBVW.DLL
C:\WINDOWS\system\WCBVW.DLL
C:\WINDOWS\system\WCBVW.DLL
C:\WINDOWS\system\WCBVW.DLL
C:\WINDOWS\system\WT2THK.DLL
C:\WINDOWS\system\WT2THK.DLL
C:\WINDOWS\system\WT2THK.DLL
C:\WINDOWS\system\WT2THK.DLL
C:\WINDOWS\system\WY2THK.DLL
C:\WINDOWS\system\WY2THK.DLL
C:\WINDOWS\system\WY2THK.DLL
C:\WINDOWS\system\WY2THK.DLL
C:\WINDOWS\system\WYWIZDLL.DLL
C:\WINDOWS\system\WYWIZDLL.DLL
C:\WINDOWS\system\WYWIZDLL.DLL
C:\WINDOWS\system\WYWIZDLL.DLL

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{2ABD9540-0967-11DA-8AAA-000AE6DF81FB}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MJ3216.DLL"
[HKEY_CLASSES_ROOT\CLSID\{2ABD9540-0967-11DA-8AAA-000AE6DF81FB}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MJ3216.DLL"
[HKEY_CLASSES_ROOT\CLSID\{2ABD9540-0967-11DA-8AAA-000AE6DF81FB}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MJ3216.DLL"
[HKEY_CLASSES_ROOT\CLSID\{2ABD9540-0967-11DA-8AAA-000AE6DF81FB}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MJ3216.DLL"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7DA22E14-E948-48EA-A574-465A9FC4D66F}"=""


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

= = = = = = = = = = = = = = = = = = = = = = = = =

Here is an HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:01 AM, on 8/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\GENERIC\6-IN-1 USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INFOGRAMES\ATARI ANNIVERSARY EDITION\VOLUME 2\ATARI ICON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\LOTUS\WORDPRO\LTSSTART.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PERSONAL_DATA\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 127.0.1.12 labor.darden.com
O1 - Hosts: 127.0.1.10 gpweb2.darden.com
O1 - Hosts: 127.0.1.13 parpull.darden.com
O1 - Hosts: 127.0.1.11 boscluster.darden.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O15 - Trusted Zone: *.smokeybones.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://labor.darden.com/cab/smsx.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com...tiveXWebCam.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab


= = = = = = = = = = = = = = = = = = = = =

Here is the ActiveScan results:


Incident Status Location

Security Risk:Application/RestartNo disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Lqonardo da Vinci.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\pgdhuf.exe
Security Risk:Application/RestartNo disinfected C:\WINDOWS\TEMP\pav9320.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavB0E3.TMP
Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\Application Data\Sskknwrd.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\ATDENC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\BHVPD95A.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\BYACKBOX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\CORDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\DNDRAMP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\FFPWPP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\GKU32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\IXSETUP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\jisd400.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lhbas09.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lldxf13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lxdrw13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lxfpx7.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MAWSTR10.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MBTEXT40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MCLOCUSR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MGCANS32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MJ3216.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MLCAT32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MPNETOBJ.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MTSIP32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\mvdxmlc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\ngwdmcpl.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\NTNDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\ONEACC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\OOFIL400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\pycrt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\RBSAPI16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\RDGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\rhboex32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\RJGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\SDVID.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\SXI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\SXVID.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\VAAME.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\VM5DB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WCBVW.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WT2THK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WY2THK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WYWIZDLL.DLL
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/EnhSrch No disinfected C:\WINDOWS\dsr.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccK.exe
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccess.exe
Thanks! John.
  • 0

#23
don77
Posted 27 August 2005 - 04:16 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Much better John,
Could you run the L2M fix again please, same way you did earlier please

Also,
Download dsrfix

Save it to your desktop.
Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.

Next,
*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM\Tools\Restart.exe 
 C:\WINDOWS\SYSTEM\Shex.exe 
 C:\WINDOWS\SYSTEM\Lqonardo da Vinci.dll 
 C:\WINDOWS\SYSTEM\pgdhuf.exe 
 C:\WINDOWS\TEMP\pav9320.TMP 
 C:\WINDOWS\TEMP\pavB0E3.TMP 
C:\WINDOWS\Application Data\Sskknwrd.dll
C:\WINDOWS\dsr.dll 
C:\WINDOWS\cfgmgr52.dll 
 C:\WINDOWS\cfgmgr52.ini 
 C:\Program Files\Media Access\MediaAccC.dll 
 C:\Program Files\Media Access\MediaAccK.exe 
C:\Program Files\Media Access\MediaAccess.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Your computer should restart on its own if not please restart manually,

Run Active scan for me again please,
When done,
Post back the log from Active scan and the log.txt from L2M fix
and a fresh HJT log please

Edited by don77, 27 August 2005 - 04:18 PM.

  • 0

#24
motomem
Posted 29 August 2005 - 07:27 PM

motomem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok, the steps were completed. I verified that the files were deleted (killbox).

Here is the ActiveScan log:


Incident Status Location

Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\hsknzspf.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\ATDENC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\BHVPD95A.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\BYACKBOX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\CORDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\DNDRAMP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\FFPWPP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\GKU32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\IXSETUP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\jisd400.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lhbas09.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lldxf13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lxdrw13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lxfpx7.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MAWSTR10.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MBTEXT40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MCLOCUSR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MGCANS32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MJ3216.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MLCAT32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MPNETOBJ.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MTSIP32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\mvdxmlc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\ngwdmcpl.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\NTNDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\ONEACC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\OOFIL400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\pycrt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\RBSAPI16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\RDGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\rhboex32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\RJGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\SDVID.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\SXI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\SXVID.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\VAAME.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\VM5DB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WCBVW.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WT2THK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WY2THK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WYWIZDLL.DLL
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Adware:Adware/PurityScan No disinfected C:\PERSONAL_DATA\HijackThis\backups\backup-20050821-150132-971.dll

= = = = = = = = = = = = = = = = = = = = = =
Here is the log from lwm9xfix:

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix

************

Files found:

C:\WINDOWS\system\Lqonardo da Vinci.dll
C:\WINDOWS\system\Lqonardo da Vinci.dll
C:\WINDOWS\system\Lqonardo da Vinci.dll
C:\WINDOWS\system\Lqonardo da Vinci.dll

************

Registry entries found:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

= = = = = = = = = = = = = = = = = = = = =
Here is a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:28:42 PM, on 8/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\GENERIC\6-IN-1 USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INFOGRAMES\ATARI ANNIVERSARY EDITION\VOLUME 2\ATARI ICON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\LOTUS\WORDPRO\LTSSTART.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PERSONAL_DATA\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O15 - Trusted Zone: *.smokeybones.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://labor.darden.com/cab/smsx.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com...tiveXWebCam.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab


Still no popups!! If there's anything else I can delete please let me know.
Thanks!! John
  • 0

#25
don77
Posted 30 August 2005 - 08:07 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Great news John!

A couple more to clean up,
*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM\hsknzspf.dll
 C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\system\Lqonardo da Vinci.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Run another scan with Active scan post back what it finds
  • 0

Advertisements

#26
motomem
Posted 01 September 2005 - 07:59 PM

motomem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok, those files deleted.

Here's an ActiveScan:


Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\ATDENC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\BHVPD95A.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\BYACKBOX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\CORDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\DNDRAMP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\FFPWPP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\GKU32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\IXSETUP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\jisd400.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lhbas09.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lldxf13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lxdrw13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\lxfpx7.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MAWSTR10.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MBTEXT40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MCLOCUSR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MGCANS32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MJ3216.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MLCAT32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MPNETOBJ.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\MTSIP32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\mvdxmlc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\ngwdmcpl.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\NTNDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\ONEACC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\OOFIL400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\pycrt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\RBSAPI16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\RDGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\rhboex32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\RJGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\SDVID.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\SXI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\SXVID.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\VAAME.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\VM5DB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WCBVW.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WT2THK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WY2THK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Desktop\l2m9xfix\l2m9xfix\backups\WYWIZDLL.DLL
Adware:Adware/PurityScan No disinfected C:\PERSONAL_DATA\HijackThis\backups\backup-20050821-150132-971.dll
Thanks, John
  • 0

#27
don77
Posted 02 September 2005 - 08:46 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Perfect the only thing it is finding now is the back ups made by the L2Mfix.
Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection

First Off,
*Be sure and reset your hidden Files and Folders*

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep AD-Aware. and Spybot 1.3 handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates
  • 0

#28
motomem
Posted 03 September 2005 - 06:55 PM

motomem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
The machine has been running fine. No popups.
Thanks for all the help. Great job!!

Yes, I will now run several things weekly to help keep the machine clean.

John
  • 0

#29
don77
Posted 03 September 2005 - 08:03 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP