Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Winfixer 2005, www.searc-h.com and e.rn11.com pops [RESOLVED]

Started by Chris V , Sep 20 2005 11:40 PM

This topic is locked

#46
Chris V

Posted 28 September 2005 - 11:28 PM

Member

Topic Starter
Member
44 posts

im getting this error everytime i try to use the online scanner:
"Kaspersky Anti-Virus database is damaged. Please restart Kaspersky On-line Scanner."

I've restarted it many times, keep getting the same message. :tazz:

Btw, i've uninstalled all my other antivirus programs, im just sticking with AVG.

Edited by Chris V, 28 September 2005 - 11:31 PM.

#47
Armodeluxe

Posted 29 September 2005 - 06:00 PM

Member 2k

Retired Staff
2,744 posts

What version of Norton were you using? There are several services remaining from both Norton and Avast that we will have to rid of..those may be contributing to the slowness

Let's try a few things and then try both Panda and Kaspersky again and see if they work..

Copt the text in the box below to Notepad. In Notepad go to File>Save As
In the dropdown box at the bottom choose "All Files", name it Fixie.reg and save it on your desktop. Then double click on Fixie.reg to merge it with the registry.

REGEDIT4 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search] 
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm" 
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm" 
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://g.msn.com/0SEENUS/SAOS01"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl] 
""="http://home.microsoft.com/access/autosearch.asp?p=%s" 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main] 
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="" 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"NavigationFailure"="res://shdoclc.dll/navcancl.htm"
"DesktopItemNavigationFailure"="res://shdoclc.dll/navcancl.htm"
"NavigationCanceled"="res://shdoclc.dll/navcancl.htm"
"OfflineInformation"="res://shdoclc.dll/offcancl.htm"
"Home"=dword:0000010e
"blank"="res://mshtml.dll/blank.htm"
"PostNotCached"="res://mshtml.dll/repost.htm"
"mozilla"="res://mshtml.dll/about.moz"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Window_Placement"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"ITBarLayout"=-

In IE go to Tools>Reset Web Settings

Next, Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.

Make sure that the "make hosts writable?" button in the upper right corner is enabled.
Click back up Host files
then click Restore orginal host files
close program

After that try the scans again and see if they work..

#48
Armodeluxe

Posted 29 September 2005 - 08:09 PM

Member 2k

Retired Staff
2,744 posts

Hi Chris, sorry for the double post but,

Could you please go to the l2mfix folder, find backup.zip and email it to

submitATatribune.org (replace AT with @, we don't post complete emails on boards to avoid spambots)

in the body of the email put a link to this thread (copy/paste from adress bar)

Thanks

Armodeluxe

#49
Chris V

Posted 29 September 2005 - 09:43 PM

Member

Topic Starter
Member
44 posts

Logfile of HijackThis v1.99.1
Scan saved at 11:00:25 PM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
D:\Program Files\D-Tools\daemon.exe
D:\Anti-Trojan-55\ATWatch.exe
C:\WINDOWS\kdx\KHost.exe
D:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sonique\sqstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
D:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
C:\Program Files\sony\giga pocket\reservemodule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [KaZooM] C:\Program Files\Blue Haven Media\KaZooM\KaZooM.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AT-Watch] D:\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OpenMG Jukebox Startup.lnk = D:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
O4 - Global Startup: Timer Recording Manager.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1016963870078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\giga pocket\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (Application) (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

#50
Chris V

Posted 29 September 2005 - 09:44 PM

Member

Topic Starter
Member
44 posts

ActiveScan Report:

Incident Status Location

Adware:adware/alwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM32\Free LapTop Computer.ico
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/isearch No disinfected C:\WINDOWS\deskbar.ini
Adware:adware/gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta33.ini
Adware:adware/wintools No disinfected C:\PROGRAM FILES\COMMON FILES\BTLINK
Adware:adware/cws No disinfected C:\Documents and Settings\user\Favorites\-Autos-
Adware:adware/ilookup No disinfected C:\Documents and Settings\user\Favorites\Gambling
Spyware:spyware/omi No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\!Submit\o2840clqefqe0.dll
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dent size trust iso\01 name.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dent size trust iso\active byte.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dent size trust iso\OneJunk.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dent size trust iso\Rdrabout.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\dent size trust iso\Road Frag.exe
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\user\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-4f44b20e.zip[InstallerApplet.class]
Virus:Trj/Shinwow.C Disinfected C:\Documents and Settings\user\.jpi_cache\jar\1.0\loaderadv68.jar-158e9e01-7a58d5eb.zip[Matrix.class]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[aza00ahmed4a0.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[azam0191e.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[csl3d32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[d40m0ed1eh0.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[dcime.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[dhsshlex.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[dn4801hue.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[dn6001jme.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[dnjq0115e.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[dnr6019se.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[dnrm0191e.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[dpnput8.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[dpvxdec_0407.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[e602lgdo160c.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[ejentprf.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[fp0003dme.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[fp0403dqe.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[fpj4031qe.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[g0400ahmed4a0.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[g204lcdq1f0e.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[gpjul3191.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[gpnql3551.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[hbetmon.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[hr4605hse.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[ialm5.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[iqlm5.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[ir0ul5d91.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[ir84l5lq1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[irj4l51q1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[ivclass.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[j04o0ah3ed4.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[k4620ejoehoc0.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[kpd101c.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[ktj0l71m1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[ktl6l73s1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[ktnol7531.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[kvdtuf.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[l6n40g5qe6.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[lvn6095se.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[LZDIS10N.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[mboert2.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[MFrev41.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[mri.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[mscshext.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[mv8ol9l31.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[mvl0l93m1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[mvl6l93s1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[mvxml2r.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[mzidle.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[n0l80a3ued.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[n44sleh71h4.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[ngcpl.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[nhtapi32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[nnwddi(2).dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[o4ns0e57eh.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[o4pqle751h.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[o6lu0g39e6.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[o8lu0i39e8.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[o8roli9318.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[p04ulah91d4.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[pgwma.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[PLIKey.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[r46ulej91ho.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[rcr20.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[rDsppp.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[rHsdlg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[rkhx32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[rLsauto.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[rLsdlg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[rpgsvc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[rwgwizc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[sCfrslv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[sdftpub.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[SG2EVNT1.DLL]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[sgsvc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[siprv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[spmpsnap.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[THI-SonyOMG.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[tPpi3.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[unl.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[VWBLOCK.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[wadmtpus.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[guard.tmp]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[nbtrap.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[__delete_on_reboot__lxica10N.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\user\Desktop\l2mfix\backup.zip[__delete_on_reboot__guard.tmp]
Adware:Adware/ISearch No disinfected C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar[isearch.js]
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\t55pxkfo\0ad4qp42.DLL
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\biK.inf
Virus:Trj/Downloader.L Disinfected C:\WINDOWS\inf\susp.inf
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20011230-042411.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20011231-004823.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20011231-004836.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20011231-012832.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20011231-012834.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20020312-225001.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20020312-230536.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20020314-041810.backup
Spyware:Spyware/Omi No disinfected C:\WINDOWS\system32\msfdje.gif
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\msglji.gif
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\system32\mshhem.dll
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking v123.cpl
Virus:Trj/SubSearch.B Disinfected C:\WINDOWS\system32\sub2_1C.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\W?nSxS\cmd.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\Xcite.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\__delete_on_reboot__wS2time.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\tqq.exe
Adware:Adware/nCase No disinfected J:\WINDOWS\TEMP\EACDownload\webcelerator_setup-rng.exe[msbb.exe]
Adware:Adware/eZula No disinfected J:\WINDOWS\TEMP\EACDownload\webcelerator_setup-rng.exe[TTstub.exe]
Adware:Adware/DownloadWare No disinfected J:\WINDOWS\Downloaded Program Files\ActiveInstall2.inf
Dialer:Dialer.BCA No disinfected J:\Program Files\GIB\dropcharge.exe

#51
Chris V

Posted 29 September 2005 - 09:51 PM

Member

Topic Starter
Member
44 posts

About the email, my backup.zip file was 18mb, since my hotmail account could only attach 10mb files, i had to upload it to www.yousendit.com. So in the body you will find the link to this thread and the download link for my backup.zip from yousendit.

#52
Armodeluxe

Posted 30 September 2005 - 09:10 PM

Member 2k

Retired Staff
2,744 posts

Hi Chris,

Thanks for sending the files. They go to the developers of the look2mefix tool so that they can update it.

Let's clean up what Panda found.

In IE go to Favorites and delete these entries:

Autos
Gambling

Go to Control Panel Add/Remove Programs and uninstall if found:

BTLINK
GIB <--do you know what this is? If it's not a program you use uninstall if found.

Then delete these folders:

C:\PROGRAM FILES\COMMON FILES\BTLINK
J:\Program Files\GIB <--same as above applies to this folder

Open My Computer

Right click on drive C: and choose Properties. Under General you'll see the Disk Cleanup button. Use it to clean:

Temporary Files
Temporary Internet Files
Recycle Bin
Downloaded Program Files

Repeat the same for drive J:

Next, let's update your java and empty the cache.

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

Next,download and unzip to one folder:
http://metallica.gee...com/findlop.zip

Inside the folder find findlop.bat

Doubleclick it and it will create the file C:\findlop.txt
Find that file and copy the content into your next post.

After that, Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

Finally,

1) Please run Killbox.

2) Select "Delete on Reboot".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\Free LapTop Computer.ico
C:\WINDOWS\SYSTEM32\winupdt.008
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\deskbar.ini
C:\WINDOWS\GatorHDPlugin.log-old.log
C:\WINDOWS\GatorHDPlugin.log
C:\WINDOWS\usta33.ini
C:\Documents and Settings\All Users\Application Data\dent size trust iso
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar[isearch.js]
C:\Program Files\t55pxkfo\0ad4qp42.DLL
C:\WINDOWS\inf\biK.inf
C:\WINDOWS\system32\msfdje.gif
C:\WINDOWS\system32\msglji.gif
C:\WINDOWS\system32\mshhem.dll
C:\WINDOWS\system32\P2P Networking v123.cpl
C:\WINDOWS\system32\W?nSxS
C:\WINDOWS\system32\Xcite.dll
C:\WINDOWS\system32\__delete_on_reboot__wS2time.dll
C:\WINDOWS\tqq.exe
J:\Program Files\GIB\dropcharge.exe

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. Reboot and post the Findlop and Rootkitrevealer logs.

#53
Chris V

Posted 01 October 2005 - 06:43 PM

Member

Topic Starter
Member
44 posts

Did everything except for the java and empty the cache part, seems like i dont have that icon or anything related to java in the control panel, i was looking for it but there wasnt anything.

Here is the Findlop log:

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '8BFEB43F89E12043.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\user\applic~1\logboo~1\love close keep.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'user'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 03/12/2002 21:00:00
NextRun: 10/01/2005 2:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/01/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'FD769F7EDE891282.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\progra~1\logboo~1\love close keep.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'user'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/20/2001 1:00:00
NextRun: 10/01/2005 2:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/17/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'user'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/30/2005 23:53:00
NextRun: 10/01/2005 3:53:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/01/2005
EndDate: 00/00/0000
StartTime: 03:53
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

#54
Chris V

Posted 01 October 2005 - 06:45 PM

Member

Topic Starter
Member
44 posts

here is the rootkit log:

HKLM\SOFTWARE\Classes\webcal\URL Protocol 1/3/2002 12:22 AM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\ 3/16/2002 1:14 PM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\user\Application Data\Aim\wowqnjed\metalslug5000\urlcache\aim5.tmp 10/1/2005 3:30 AM 344 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temp\AIM4.tmp.arf 10/1/2005 3:30 AM 5.39 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\01[1].gif 10/1/2005 3:30 AM 237 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\02[1].gif 10/1/2005 3:30 AM 142 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\1.main[2].js 10/1/2005 3:30 AM 3.74 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\433af2df-0023f-01867-41d3a398[1].jpg 10/1/2005 3:30 AM 30.68 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\433af44f-0024f-01867-41d3a398[1].jpg 10/1/2005 3:30 AM 21.77 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\433af5c2-00284-01867-41d3a398[1].jpg 10/1/2005 3:30 AM 30.63 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\433d7522-00349-01867-41d3a398[1].jpg 10/1/2005 3:30 AM 28.02 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\adsWrapper[1].js 10/1/2005 3:30 AM 6.57 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\AIM_UAC[1].htm 10/1/2005 3:30 AM 2.29 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\click%3Bh=v5_3304_3_0_%2a_h%3B20485411%3B0-0%3B1%3B11774063%3B4307-300_250%3B12139275_12157171_1%3B%3B%7Esscs%3D%3f;ord=2906328[1] 10/1/2005 3:30 AM 4.48 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\ctrt=4[1] 10/1/2005 3:30 AM 549 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\dirmod_bg_am[1].gif 10/1/2005 3:30 AM 6.64 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\hdr_bullet_green[1].gif 10/1/2005 3:30 AM 51 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\nav_lft[1].gif 10/1/2005 3:30 AM 183 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\omniuni[1].js 10/1/2005 3:30 AM 19.73 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\optn=1[1].gif 10/1/2005 3:30 AM 5.65 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\reskin[2].css 10/1/2005 3:30 AM 6.36 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\rs_closer[1].gif 10/1/2005 3:30 AM 79 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J\sb[2].js 10/1/2005 3:30 AM 7.68 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\200509300600_promo_hlm1_i1_2_0[1].jpg 10/1/2005 3:30 AM 25.41 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\200509300600_tabs_hlm2_i1_1_0[1].jpg 10/1/2005 3:30 AM 3.85 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\CAWHYL9E.swf 10/1/2005 3:30 AM 13.97 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\Com_Mess;MN=93189870;wm=o;edu=0;ug=1;ind=0;sz=120x90;tile=1;dcove=d;ord=733733912[1] 10/1/2005 3:30 AM 491 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\flash[1].xml 10/1/2005 3:30 AM 2.37 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\hdr_bullet[1].gif 10/1/2005 3:30 AM 51 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\id2[1].gif 10/1/2005 3:30 AM 2.02 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\mail_over2[1].gif 10/1/2005 3:30 AM 1.22 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\nav_bg[1].gif 10/1/2005 3:30 AM 157 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\nav_rgt2[1].gif 10/1/2005 3:30 AM 49 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\rs[2].css 10/1/2005 3:30 AM 1.21 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\rs_gradient[1].gif 10/1/2005 3:30 AM 122 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5\tab_bullet_am[1].gif 10/1/2005 3:30 AM 53 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\200509300600_promo_hlm1_i1_1_0[1].gif 10/1/2005 3:30 AM 3.32 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\200509300600_tabs_hlm3_i1_1_0[1].jpg 10/1/2005 3:30 AM 9.24 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\200509300600_tabs_hlm4_i1_1_1[1].jpg 10/1/2005 3:30 AM 45.19 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\200509300902_tabs_hlm1_i1_1_0[1].jpg 10/1/2005 3:30 AM 37.50 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\433af49c-00320-01867-41d3a398[1].jpg 10/1/2005 3:30 AM 28.64 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\adsEnd[1].js 10/1/2005 3:30 AM 1.57 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\adsWrapperAIM[1].js 10/1/2005 3:30 AM 1.61 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\aimtoday[1].htm 10/1/2005 3:30 AM 38.23 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\aol[4].htm 10/1/2005 3:30 AM 165 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\bg[1].gif 10/1/2005 3:30 AM 2.78 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\CAYJAFMX.swf 10/1/2005 3:30 AM 28.67 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\infobar_lft[1].gif 10/1/2005 3:30 AM 199 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\mail_icon2[1].gif 10/1/2005 3:30 AM 1.34 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\main_triton[2].css 10/1/2005 3:30 AM 17.85 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\nav_bg_base[1].gif 10/1/2005 3:30 AM 46 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\nav_bg_rollover[1].gif 10/1/2005 3:30 AM 157 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\stream1[1].swf 10/1/2005 3:30 AM 136.32 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z\style[2].css 10/1/2005 3:30 AM 2.16 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OXQZC1MN\search[1].: 3/20/2002 10:32 PM 10.25 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\SDANS5UZ\search[1].: 1/22/2003 2:57 AM 17.79 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\200509300751_tabs_hlm5_i1_1_0[1].jpg 10/1/2005 3:30 AM 14.53 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\a[1].gif 10/1/2005 3:30 AM 43 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\AIM_text[1].htm 10/1/2005 3:31 AM 1.90 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\crossdomain[1].xml 10/1/2005 3:30 AM 559 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\detect[1].swf 10/1/2005 3:30 AM 133 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\downarrow[1].gif 10/1/2005 3:30 AM 58 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\gradient[1].gif 10/1/2005 3:30 AM 86 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\infobar_bg[1].gif 10/1/2005 3:30 AM 164 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\nav_div[1].gif 10/1/2005 3:30 AM 205 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\nav_rgt3[1].gif 10/1/2005 3:30 AM 158 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\rs[2].js 10/1/2005 3:30 AM 5.69 KB Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\Site_WS;MN=93211700;wm=o;!c=d-pnd;!c=d-pps;dcopt=ist;sz=300x250;tile=1;dcove=d;ord=733735256[1] 10/1/2005 3:30 AM 315 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7\tab_bullet_sel_am[1].gif 10/1/2005 3:30 AM 53 bytes Hidden from Windows API.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\ZB9F7LKK\US[1].: 3/7/2002 12:03 PM 108.71 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 10/1/2005 3:25 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.

#55
Armodeluxe

Posted 01 October 2005 - 08:51 PM

Member 2k

Retired Staff
2,744 posts

Open notepad and copy and paste next in it:

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h 8BFEB43F89E12043.job
del 8BFEB43F89E12043.job
attrib -r -s -h FD769F7EDE891282.job
del FD769F7EDE891282.job
exit

Save this as remjob.bat , choose to save it as *all files and place it on your desktop.

Doubleclick on remjob.bat. A doswindow will open and close again, this is normal.

Afterwards, doubleclick on findjobs.bat again and paste the content of the txtfile you get in your next reply.

Now for folders we can't use the paste from clipboard feature of Killbox, so you will have to enter the paths one by one.

[1] Double-click on KillBox.exe.
[2] Click "Delete on Reboot"
[3] Paste this into the top "Full Path of File to Delete" box.

c:\progra~1\logboo~1

[4] Check the "Deltree" box.
[5] Click the "Delete File" button which looks like a stop sign.
[6] Click "Yes" at the Delete on Reboot prompt.
[7] Click "No" at the Pending Operations prompt.
[8] Repeat steps 3-7 above for these folders:

c:\docume~1\user\applic~1\logboo~1
C:\Documents and Settings\user\Application Data\Aim\wowqnjed
C:\Documents and Settings\user\Local Settings\Temp\AIM4.tmp.arf
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\0DQ3SH6J
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8NHGMRX5
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\FZ093R4Z
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OXQZC1MN
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\SDANS5UZ
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W92789A7
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\ZB9F7LKK

[9] After pasting the last line, click "Yes" at the Replace on Reboot prompt.
[10] Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot.

Then manually navigate to:

C:\Documents and Settings\user\jpi_cache and delete the entire contents of the folder (not the folder itself)

Do you have an entry for Java in Add/Remove Programs? If so, what is the latest version number (if there is more than one entry)

Now you didn't tell me still what version of Norton you were using, I guess it was Norton Internet Security, but what year?

#56
Chris V

Posted 03 October 2005 - 03:16 PM

Member

Topic Starter
Member
44 posts

No i do not have an entry for Java in Add/Remove Programs at all, no icon, nothing.

I have , well used to have norton antivirus 2003, just uninstalled it recently like i mentioned. Now im running on AVG only.

Here is the findlop log:

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '8BFEB43F89E12043.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\user\applic~1\logboo~1\love close keep.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'user'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 03/12/2002 21:00:00
NextRun: 10/01/2005 2:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/01/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'FD769F7EDE891282.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\progra~1\logboo~1\love close keep.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'user'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/20/2001 1:00:00
NextRun: 10/01/2005 2:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/17/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'user'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/30/2005 23:53:00
NextRun: 10/01/2005 3:53:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/01/2005
EndDate: 00/00/0000
StartTime: 03:53
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

#57
Armodeluxe

Posted 03 October 2005 - 08:32 PM

Member 2k

Retired Staff
2,744 posts

Ooops lop is still there..let's try again this time manual delete..

If you have by any chance MessengerPlus 3! installed on your computer, uninstall it from Add/Remove Programs (including the sponsor software which causes this infection)

Copy these instructions to notepad and save them for use in safe mode.

Boot into safe mode by tapping the F8 key just before Windows starts to load.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Then manually navigate to and delete these folders:

c:\documents and settings\user\application data\logboo~1 <--this is a Windows abbreviation. The first 6 letters of the folder name will be logboo and in the folder will be the file love close keep.exe. Delete the folder.

c:\program files\logboo~1 <--same like above

Open notepad and copy and paste next in it:

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h 8BFEB43F89E12043.job
del 8BFEB43F89E12043.job
attrib -r -s -h FD769F7EDE891282.job
del FD769F7EDE891282.job
exit

Save this as remjob.bat , choose to save it as *all files and place it on your desktop.

Doubleclick on remjob.bat. A doswindow will open and close again, this is normal.

Afterwards, doubleclick on findjobs.bat again and paste the content of the txtfile you get in your next reply.

Go to Start > Run and type: cmd

In the command window that opens type the following lines hitting the Enter key after each line:

sc stop SNDSrvc
sc delete SNDSrvc
sc stop SymWSC
sc delete SymWSC
exit

Delete the following folders:

C:\Program Files\Norton AntiVirus
C:\Program Files\Symantec
C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec

Copy the following text in the box to notepad. In notepad go to File>Save As
Name it Fixnorton.reg, save it as "all files" and save to desktop. Double click on Fixnorton.reg to merge it with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec]

[-HKEY_CURRENT_USER\SOFTWARE\Symantec]

Now set the hidden file settings back by reversing the steps above.

Boot back to normal mode and post a new HijackThis log and Findlop log. Do you have any problems now? How is the computer running?

#58
Chris V

Posted 04 October 2005 - 12:19 AM

Member

Topic Starter
Member
44 posts

Computer is running fine, havent seen a pop up =D. Did the media.click.net pop up get fixed? Just curious because im not sure, i may be wrong but i think i saw one pop yesterday or Saturday, again i'm not really sure, but other then that its all clear! =D

Logfile of HijackThis v1.99.1
Scan saved at 2:08:54 AM, on 10/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
D:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
D:\Program Files\D-Tools\daemon.exe
D:\Anti-Trojan-55\ATWatch.exe
C:\WINDOWS\kdx\KHost.exe
D:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sonique\sqstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
D:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
C:\Program Files\sony\giga pocket\reservemodule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [KaZooM] C:\Program Files\Blue Haven Media\KaZooM\KaZooM.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AT-Watch] D:\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OpenMG Jukebox Startup.lnk = D:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
O4 - Global Startup: Timer Recording Manager.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1016963870078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KX - Sysinternals - www.sysinternals.com - C:\DOCUME~1\user\LOCALS~1\Temp\KX.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\giga pocket\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (Application) (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

#59
Chris V

Posted 04 October 2005 - 12:20 AM

Member

Topic Starter
Member
44 posts

Lopfind log:

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '8BFEB43F89E12043.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\user\applic~1\logboo~1\love close keep.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'user'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 03/12/2002 21:00:00
NextRun: 10/01/2005 2:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/01/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'FD769F7EDE891282.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\progra~1\logboo~1\love close keep.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'user'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/20/2001 1:00:00
NextRun: 10/01/2005 2:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/17/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'user'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/30/2005 23:53:00
NextRun: 10/01/2005 3:53:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/01/2005
EndDate: 00/00/0000
StartTime: 03:53
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Edited by Chris V, 04 October 2005 - 12:21 AM.

#60
Armodeluxe

Posted 04 October 2005 - 07:01 PM

Member 2k

Retired Staff
2,744 posts

Hi Chris

I've never run into difficulty with deleting scheduled tasks before..those tasks are still there..what's strange also is that the next run dates are not changing:

NextRun: 10/01/2005 2:00:00

Are you sure you're not posting the old log?

When you went to delete these folders were they there or were they already gone?

c:\documents and settings\user\application data\logboo~1
c:\program files\logboo~1

Manually go to Start > All Programs > Accessories > System Tools > Scheduled Tasks

Delete the Symantec (Norton) task there.

Then post a new findlop log. If those jobs are still there, I'll try a different method.