Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Pokapoka78 pokapoka76 pokapoka75 [RESOLVED]


  • This topic is locked This topic is locked

#1
Jakow

Jakow

    Member

  • Member
  • PipPip
  • 14 posts
Since I've installed windows 2000, I've been having problems with this for a little while..
it's this pokapoka thing, and this bleh.exe process that I can stop and delete, but I cannot totally get rid of it (it keeps coming back)
I believe this has somehting to do with the problems I've been experiencing with Internet Explorer 6 and FireFox

I have a logfile for HJT, here it is:

(Updated at bottom) :tazz:

if you could help, I would GREATLY appreciate it. thanks :)

thanks
jake

EDIT:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:44 PM, on 10/27/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\msstl.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\taskcntr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\logon.exe
C:\WINNT\System32\algs.exe
C:\WINNT\System32\scvhost.exe
C:\WINNT\System32\csrssv.exe
C:\WINNT\loadqm.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\gaexk.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINNT\System32\iexplore.exe
C:\WINNT\System32\znksvc32.exe
C:\WINNT\System32\firewall.exe
C:\pxz.exe
C:\WINNT\System32\IHSVC.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\tool.exe
C:\WINNT\etb\pokapoka78.exe
D:\Downloads\FireFox\firefox.exe
D:\jacob\hijackthis\HijackThis.exe
C:\WINNT\system32\drwtsn32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.clicktoma...rch.com/sp2.php
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINNT\System32\algs.exe
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft DLL Verifier] csrssv.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\System32\csrs.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spoolsvc.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\Isass.exe
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\System32\explorer.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [c8JOr0AT] C:\WINNT\gaexk.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\System32\iexplore.exe
O4 - HKLM\..\Run: [Zekio Startups] znksvc32.exe
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINNT\System32\firewall.exe
O4 - HKLM\..\Run: [Windows Automatic Updates] C:\pxz.exe
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\Run: [System service78] C:\WINNT\etb\pokapoka78.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] csrssv.exe
O4 - HKLM\..\RunServices: [Zekio Startups] znksvc32.exe
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\RunServices: [Internet Help Svc] IHSVC.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.co...006_regular.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: BusinessC (BusinessContinuity) - Unknown owner - C:\WINNT\msstl.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NTsystem (System) - Unknown owner - C:\WINNT\ntsys32.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe

Edited by Jakow, 27 October 2005 - 08:47 PM.

  • 0

Advertisements


#2
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Jakow.

You have quite a load of malware on there, this may take a few passes to remove.

You may wish to print these instructions out, or save them to notepad.
(Start > Programs > Accessories > Notepad)

Let's start off with a scan at Housecall.

Trend-Micro Housecall Scan
  • Please go HERE to run Housecall.
  • Note: you must use Internet Explorer, other browsers will not work.
  • Under "Scan your PC", please click Scan now. It's free!
  • Select your location and click the Go button.
  • Click the red magnifying glass button.
  • Select Complete Scan.
  • Please be patient while Housecall downloads.
  • Please allow the ActiveX Control and when prompted click install
  • Put a check next to My Computer
  • Leave the following checked:
    • Scan for Spyware
      Check security vulnerabilities
  • Click the Next button.
  • It will download the latest scan engine and pattern files.
  • When the definitions have been downloaded, the scan will start.
  • After it's done scanning it will take you to the summary page.
  • Click the Next button.
  • Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.
  • Click the Next button to move onto the recovery (final) portion of the scan.
  • After everything has been removed, please click the show button on everything.
  • Highlight all the of text and press CTRL + C to copy the text.
  • Please post the contents into your next reply.
Also, please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
And finally, please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Please reply with the Kaspersky, Housecall, and Ewido logs. Also, post back a fresh Hijackthis log please.
  • 0

#3
Jakow

Jakow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
OK woah woah woah, gotta tell you now, my computer totally crashed, so I had to get windows 2k again, and I did.
I have pokapoka on it though, and I might get some more as I install... so.. anyways, here's the logfile

UPDATED LOGFILE AT BOTTOM

Thanks!
OH and by the way.. If I get more problems while I'm trying to fix this one, can I post them here?


edit:

After installing SP4, I got popups and all that bad stuff :tazz:
here's the NEW logfile:

Logfile of HijackThis v1.99.1
Scan saved at 3:04:19 AM, on 10/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\dcmhelp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wins\DLLHOST.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\wins\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\csrssv.exe
C:\WINNT\system32\winamp.exe
C:\WINNT\system32\spoolsvc.exe
C:\windows\sp2update00.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\etb\pokapoka78.exe
D:\jacob\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the818search-co.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft DLL Verifier] csrssv.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINNT\system32\winamp.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\system32\spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\System32\iexplore.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [System service78] C:\WINNT\etb\pokapoka78.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] csrssv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ruww] C:\PROGRA~1\COMMON~1\ruww\ruwwm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130713516917
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\m6julg1916.dll
O23 - Service: DcomHelper Service (DcomHelper) - Unknown owner - C:\WINNT\dcmhelp.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINNT\System32\wins\DLLHOST.EXE

Edited by Jakow, 31 October 2005 - 10:07 AM.

  • 0

#4
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Jakow.

Your log is almost as infected as the last one, it looks like you are going down the same road again.

Let's get a Firewall and an Anti-Virus on there asap.

Please download AVG and install it.

Please also download Zonealarm and install it.

Reboot.

You also have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.


Post back a fresh Hijackthis log.
  • 0

#5
Jakow

Jakow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
For Zonealarm and AVG, do I run aswell or will that come later?
either way I installed all of the those things
  • 0

#6
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Jakow.

Please enable all the real time protection on AVG/Zone Alarm, and make sure they are running. :tazz:

Also, Please post the log from L2MFix.
  • 0

#7
Jakow

Jakow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
First of all, thank you SO much, the things actually helped a lot for now. But I think the Zonealarm firewall is blocking me from going onto MSN, and I allowed dllhost.exe to be accepted. I think that was a mistake because now the Zonealarm icon became the traffic icon and shows up to be moving all the time, and the dllhost.exe icon is blinking in the Zonealarm program list at the top right.
Second, for the AVG Free thing, do I use it in safe mode for better results? And when the "You have a Virus" pops up do I reset then or later? (I pressed later, and it showed I had another virus, so I pressed later for all of them so that all the viruses deleted at the same time, not after each reset)

OH! and this might not be related to anything, but it also might, but whenever I log on, it says that Logon something something DLL will not work and it shows all these dlls or something in the WINNT folders.

Again, Thank you SO much for helping me :tazz:


Here's the l2mfix logfile:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\p66slgj716o.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FE6EB7CD-3477-5710-6113-095099D05E9D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{ED8E0192-79CC-4603-BFA3-BBB54265B38F}"=""
"{84204C6C-04B4-4660-BA9D-8659DAE5BFCC}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ED8E0192-79CC-4603-BFA3-BBB54265B38F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ED8E0192-79CC-4603-BFA3-BBB54265B38F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ED8E0192-79CC-4603-BFA3-BBB54265B38F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ED8E0192-79CC-4603-BFA3-BBB54265B38F}\InprocServer32]
@="C:\\WINNT\\system32\\gvmf32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{84204C6C-04B4-4660-BA9D-8659DAE5BFCC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84204C6C-04B4-4660-BA9D-8659DAE5BFCC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84204C6C-04B4-4660-BA9D-8659DAE5BFCC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{84204C6C-04B4-4660-BA9D-8659DAE5BFCC}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
l02sla~1.dll Mon Oct 31 2005 5:33:02p ..S.R 236,396 230.86 K
sfrobj.dll Sun Oct 30 2005 11:58:52p ..S.R 234,272 228.78 K
p66slg~1.dll Mon Oct 31 2005 8:11:10p ..S.R 234,676 229.18 K
msvcr71.dll Mon Oct 31 2005 3:38:34p A.... 348,160 340.00 K
msvcp71.dll Mon Oct 31 2005 3:38:36p A.... 499,712 488.00 K
vsdata.dll Mon Aug 29 2005 7:08:34p A.... 83,712 81.75 K
vsmonapi.dll Mon Aug 29 2005 7:08:54p A.... 104,192 101.75 K
vspubapi.dll Mon Aug 29 2005 7:08:58p A.... 227,072 221.75 K
vsutil.dll Mon Aug 29 2005 7:09:14p A.... 382,720 373.75 K
vsinit.dll Mon Aug 29 2005 7:08:46p A.... 141,056 137.75 K
vsxml.dll Mon Aug 29 2005 7:09:22p A.... 100,096 97.75 K
zlcomm.dll Mon Aug 29 2005 7:09:42p A.... 79,616 77.75 K
zlcommdb.dll Mon Aug 29 2005 7:09:46p A.... 71,424 69.75 K
vsregexp.dll Mon Aug 29 2005 7:09:02p A.... 71,424 69.75 K
r48s0e~1.dll Mon Oct 31 2005 4:01:26p ..S.R 235,561 230.04 K
gvmf32.dll Mon Oct 31 2005 5:33:02p ..S.R 234,676 229.18 K

16 items found: 16 files (5 H/S), 0 directories.
Total of file sizes: 3,284,765 bytes 3.13 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is A010-9A33

Directory of C:\WINNT\System32

10/31/2005 08:11p 234,676 p66slgj716o.dll
10/31/2005 05:33p 236,396 l02slaf71d2.dll
10/31/2005 05:33p 234,676 gvmf32.dll
10/31/2005 04:01p 235,561 r48s0el7ehq.dll
10/30/2005 11:58p 234,272 sfrobj.dll
10/30/2005 02:49p <DIR> dllcache
5 File(s) 1,175,581 bytes
1 Dir(s) 1,160,433,664 bytes free



AAAANNNNDDDD here's a fresh HJT logfile :) :

Logfile of HijackThis v1.99.1
Scan saved at 10:47:24 PM, on 10/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\dlhost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\etb\pokapoka78.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\jacob\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the818search-co.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\System32\iexplore.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [System service78] C:\WINNT\etb\pokapoka78.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] csrssv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ruww] C:\PROGRA~1\COMMON~1\ruww\ruwwm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130713516917
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: Group Policy - C:\WINNT\system32\p66slgj716o.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINNT\dlhost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINNT\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
  • 0

#8
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.

After that post back a fresh Hijackthis log.

Edited by OwNt, 01 November 2005 - 01:08 AM.

  • 0

#9
Jakow

Jakow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thank you again :)

I got a log after the l2mfix step2 didn't work with the log showing up and the icons disappearing so I did the second.bat file thing and got a log.. and here it is :)

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1852 'explorer.exe'
Killing PID 1852 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2052 'rundll32.exe'
Killing PID 2052 'rundll32.exe'
Error 0x5 : Access is denied.


Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\ikmpagnt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\r48s0el7ehq.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sfrobj.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\ikmpagnt.dll
Successfully Deleted: C:\WINNT\system32\ikmpagnt.dll
deleting: C:\WINNT\system32\r48s0el7ehq.dll
Successfully Deleted: C:\WINNT\system32\r48s0el7ehq.dll
deleting: C:\WINNT\system32\sfrobj.dll
Successfully Deleted: C:\WINNT\system32\sfrobj.dll
deleting: C:\WINNT\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: ikmpagnt.dll (deflated 5%)
adding: r48s0el7ehq.dll (deflated 5%)
adding: sfrobj.dll (deflated 4%)
adding: guard.tmp (deflated 5%)
adding: echo.reg (deflated 12%)
adding: clear.reg (deflated 37%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 52%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 65%)
adding: lo2.txt (deflated 75%)
adding: test2.txt (deflated 16%)
adding: test3.txt (deflated 16%)
adding: test5.txt (deflated 16%)
adding: test.txt (deflated 53%)
adding: xfind.txt (deflated 46%)
adding: backregs/notibac.reg (deflated 85%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/ED8E0192-79CC-4603-BFA3-BBB54265B38F.reg (deflated 70%)
adding: backregs/84204C6C-04B4-4660-BA9D-8659DAE5BFCC.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: ikmpagnt.dll
deleting local copy: r48s0el7ehq.dll
deleting local copy: sfrobj.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\l02slaf71d2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINNT\system32\ikmpagnt.dll
C:\WINNT\system32\r48s0el7ehq.dll
C:\WINNT\system32\sfrobj.dll
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{ED8E0192-79CC-4603-BFA3-BBB54265B38F}"=-
"{84204C6C-04B4-4660-BA9D-8659DAE5BFCC}"=-
[-HKEY_CLASSES_ROOT\CLSID\{ED8E0192-79CC-4603-BFA3-BBB54265B38F}]
[-HKEY_CLASSES_ROOT\CLSID\{84204C6C-04B4-4660-BA9D-8659DAE5BFCC}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************



annnnnd my HJT log is... HERE:

Logfile of HijackThis v1.99.1
Scan saved at 11:57:54 PM, on 10/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\dlhost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\etb\pokapoka78.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\jacob\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the818search-co.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\System32\iexplore.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [System service78] C:\WINNT\etb\pokapoka78.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] csrssv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ruww] C:\PROGRA~1\COMMON~1\ruww\ruwwm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130713516917
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: policies - C:\WINNT\system32\l02slaf71d2.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINNT\dlhost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINNT\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

Right now I REALLY have to go to bed, SO! tired, goodnight :woot:
and thanks again again :tazz:

Now I'm going to shut down and follow your instructions in the morning or after school:D

Edited by Jakow, 01 November 2005 - 02:03 AM.

  • 0

#10
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Jakow.

Do you have Administrative privligies? If you don't then run option #2 again from an administrative account and post back the log from that.

If you do have an administrative account, please use the instructions below.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also post back a fresh Hijackthis log please. :tazz:
  • 0

Advertisements


#11
Jakow

Jakow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
WOW this actually helped A LOT!

here's the log for the spysweeper:

********
3:56 PM: | Start of Session, Tuesday, November 01, 2005 |
3:56 PM: Spy Sweeper started
3:56 PM: Sweep initiated using definitions version 564
3:56 PM: Starting Memory Sweep
3:57 PM: Found Adware: icannnews
3:57 PM: Detected running threat: C:\WINNT\system32\k2lq0c35ef.dll (ID = 83)
4:00 PM: Detected running threat: C:\WINNT\system32\mmdart32.dll (ID = 83)
4:00 PM: Found Adware: elitebar
4:00 PM: Detected running threat: C:\WINNT\etb\pokapoka78.exe (ID = 179560)
4:01 PM: Detected running threat: C:\WINNT\system32\guard.tmp (ID = 83)
4:01 PM: Memory Sweep Complete, Elapsed Time: 00:05:06
4:01 PM: Starting Registry Sweep
4:02 PM: Found Adware: findthewebsiteyouneed hijacker
4:02 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 125241)
4:02 PM: Found Adware: multidial
4:02 PM: HKCR\dialerr.dialerr\ (3 subtraces) (ID = 135344)
4:02 PM: HKLM\software\classes\dialerr.dialerr\ (3 subtraces) (ID = 135355)
4:02 PM: Found Adware: targetsoft
4:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
4:02 PM: Found Adware: targetsaver
4:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsl installer\ (1 subtraces) (ID = 143608)
4:02 PM: HKLM\software\tsa\ (1 subtraces) (ID = 143615)
4:02 PM: HKCR\dialerr.dialerr.1\ (3 subtraces) (ID = 661961)
4:02 PM: HKCR\icwconn.apprentice\ (5 subtraces) (ID = 661963)
4:02 PM: HKCR\icwconn.gifconvert\ (5 subtraces) (ID = 661968)
4:02 PM: HKCR\icwconn.ispdata\ (5 subtraces) (ID = 661973)
4:02 PM: HKCR\icwconn.walker\ (5 subtraces) (ID = 661978)
4:02 PM: HKCR\icwconn.webview\ (5 subtraces) (ID = 661983)
4:02 PM: HKCR\icwsystemconfig.icwsystemconfig\ (3 subtraces) (ID = 661988)
4:02 PM: HKCR\inshandler.inshandler\ (3 subtraces) (ID = 661992)
4:02 PM: HKCR\refdial.refdial\ (3 subtraces) (ID = 661996)
4:02 PM: HKCR\smartstart.smartstart\ (3 subtraces) (ID = 662000)
4:02 PM: HKCR\tapilocationinfo.tapilocationinfo\ (3 subtraces) (ID = 662004)
4:02 PM: HKCR\userinfo.userinfo\ (3 subtraces) (ID = 662008)
4:02 PM: HKCR\webgate.webgate\ (3 subtraces) (ID = 662012)
4:02 PM: HKCR\clsid\{462f7758-8848-11d1-add8-0000f87734f0}\control\ (ID = 662065)
4:02 PM: HKLM\software\classes\dialerr.dialerr.1\ (3 subtraces) (ID = 662143)
4:02 PM: HKU\S-1-5-21-1993962763-152049171-1060284298-500\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
4:02 PM: HKU\S-1-5-21-1993962763-152049171-1060284298-500\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
4:02 PM: HKU\S-1-5-21-1993962763-152049171-1060284298-500\software\microsoft\internet explorer\main\ || search page (ID = 125238)
4:02 PM: HKU\S-1-5-21-1993962763-152049171-1060284298-500\software\tsl2\ (1 subtraces) (ID = 143616)
4:02 PM: HKU\S-1-5-21-1993962763-152049171-1060284298-500\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
4:02 PM: Found Adware: the818search-co.com hijack
4:02 PM: HKU\S-1-5-21-1993962763-152049171-1060284298-500\software\microsoft\internet explorer\ || searchurl (ID = 751006)
4:02 PM: HKU\S-1-5-21-1993962763-152049171-1060284298-500\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
4:02 PM: HKU\S-1-5-21-1993962763-152049171-1060284298-500\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
4:02 PM: Registry Sweep Complete, Elapsed Time:00:01:00
4:02 PM: Starting Cookie Sweep
4:02 PM: Found Spy Cookie: belnk cookie
4:02 PM: administrator@belnk[1].txt (ID = 2292)
4:02 PM: Found Spy Cookie: azjmp cookie
4:02 PM: administrator@azjmp[2].txt (ID = 2270)
4:02 PM: Found Spy Cookie: rn11 cookie
4:02 PM: administrator@rn11[2].txt (ID = 3261)
4:02 PM: Found Spy Cookie: starware.com cookie
4:02 PM: administrator@h.starware[2].txt (ID = 3442)
4:02 PM: Found Spy Cookie: centrport net cookie
4:02 PM: administrator@centrport[1].txt (ID = 2374)
4:02 PM: Found Spy Cookie: advertising cookie
4:02 PM: administrator@advertising[1].txt (ID = 2175)
4:02 PM: Found Spy Cookie: zedo cookie
4:02 PM: administrator@zedo[2].txt (ID = 3762)
4:02 PM: Found Spy Cookie: atlas dmt cookie
4:02 PM: administrator@atdmt[2].txt (ID = 2253)
4:02 PM: administrator@www.starware[1].txt (ID = 3442)
4:02 PM: Found Spy Cookie: overture cookie
4:02 PM: administrator@perf.overture[1].txt (ID = 3106)
4:02 PM: Found Spy Cookie: targetnet cookie
4:02 PM: administrator@targetnet[1].txt (ID = 3489)
4:02 PM: Found Spy Cookie: abcsearch cookie
4:02 PM: administrator@abcsearch[2].txt (ID = 2033)
4:02 PM: Found Spy Cookie: adserver cookie
4:02 PM: administrator@z1.adserver[1].txt (ID = 2142)
4:02 PM: Found Spy Cookie: linksynergy cookie
4:02 PM: administrator@linksynergy[1].txt (ID = 2926)
4:02 PM: Found Spy Cookie: adecn cookie
4:02 PM: administrator@adecn[2].txt (ID = 2063)
4:02 PM: Found Spy Cookie: adprofile cookie
4:02 PM: administrator@adprofile[2].txt (ID = 2084)
4:02 PM: Found Spy Cookie: yieldmanager cookie
4:02 PM: administrator@ad.yieldmanager[1].txt (ID = 3751)
4:02 PM: Found Spy Cookie: reliablestats cookie
4:02 PM: administrator@stats1.reliablestats[1].txt (ID = 3254)
4:02 PM: administrator@dist.belnk[2].txt (ID = 2293)
4:02 PM: Found Spy Cookie: paypopup cookie
4:02 PM: administrator@paypopup[1].txt (ID = 3119)
4:02 PM: Found Spy Cookie: falkag cookie
4:02 PM: administrator@as-us.falkag[2].txt (ID = 2650)
4:02 PM: Found Spy Cookie: realmedia cookie
4:02 PM: administrator@realmedia[2].txt (ID = 3235)
4:02 PM: Found Spy Cookie: fastclick cookie
4:02 PM: administrator@fastclick[2].txt (ID = 2651)
4:02 PM: Found Spy Cookie: adknowledge cookie
4:02 PM: administrator@adknowledge[2].txt (ID = 2072)
4:02 PM: Found Spy Cookie: realtracker cookie
4:02 PM: administrator@web2.realtracker[2].txt (ID = 3242)
4:02 PM: Found Spy Cookie: findthewebsiteyouneed cookie
4:02 PM: administrator@www.findthewebsiteyouneed[2].txt (ID = 2673)
4:02 PM: Found Spy Cookie: servedby advertising cookie
4:02 PM: administrator@servedby.advertising[2].txt (ID = 3335)
4:02 PM: Found Spy Cookie: revenue.net cookie
4:02 PM: administrator@revenue[2].txt (ID = 3257)
4:02 PM: administrator@z1.adserver[3].txt (ID = 2142)
4:02 PM: Found Spy Cookie: empnads cookie
4:02 PM: administrator@empnads[1].txt (ID = 5012)
4:02 PM: Found Spy Cookie: upspiral cookie
4:02 PM: administrator@www.upspiral[2].txt (ID = 3615)
4:02 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
4:02 PM: Starting File Sweep
4:02 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
4:03 PM: Found Adware: effective-i toolbar
4:03 PM: ucmoreiex.exe (ID = 59853)
4:03 PM: Found Adware: look2me
4:03 PM: installer.exe (ID = 168558)
4:03 PM: 113_dollarrevenue_4_0_3_9.exe (ID = 166444)
4:03 PM: icont.exe (ID = 65722)
4:03 PM: iconu.exe (ID = 65721)
4:03 PM: Warning: Failed to open file "c:\winnt\system32\mmdart32.dll". The process cannot access the file because it is being used by another process
4:03 PM: Warning: Failed to open file "c:\winnt\system32\k2lq0c35ef.dll". The process cannot access the file because it is being used by another process
4:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:04 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
4:04 PM: Warning: Failed to open file "c:\winnt\system32\k444lehq1h4e.dll". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\software.log". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\default.log". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\security". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\security.log". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\system.alt". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\sam". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\sam.log". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\system". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\software". The process cannot access the file because it is being used by another process
4:05 PM: Warning: Failed to open file "c:\winnt\system32\config\default". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\winnt\temp\zlt047fa.tmp". The process cannot access the file because it is being used by another process
4:06 PM: Warning: Failed to open file "c:\winnt\etb\nt_hide78.dll". Access is denied
4:06 PM: c:\winnt\etb (17 subtraces) (ID = -2147476235)
4:06 PM: pokapoka78.exe (ID = 179560)
4:07 PM: bw2.com (ID = 65721)
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs56b3e18e-acdd-4af9-8fa0-ddfbed9f8017.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs2872ce28-298e-4fb4-961e-cb91aed5cd54.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs897e6a8e-b8ba-49ee-bca2-0c74dd362106.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsfe01032e-903b-4e8a-8987-b22c3c6e3ed6.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs92402bfb-f1a6-414d-9d70-c4dc4dde542e.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsfb589e51-995d-48cd-82bf-8051edcb431a.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs4f5095a6-ce99-4d93-8806-ecf87f4f515e.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs8af71e97-bfd6-4b8f-b045-b23d326e2969.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs90191360-7e44-46b9-ae11-f572bffb0a4c.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs27a34d60-c9a5-4c14-b149-99d48175d0a7.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs4d6da3f4-9758-4bfd-b628-253f042c0484.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs90b23301-7a2c-49a6-8cec-f615322f214b.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsabf56a51-bd4b-4dfd-9447-f01747c75dda.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs760df0da-f3d5-41a4-8c4e-4081c6f497f6.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs6c7f5696-1b56-432d-b2ab-e50b70c5e151.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs75d2f6f8-6205-4192-be03-4804915ff912.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs0cf8acfd-ae87-4391-8434-a1270c2139a0.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsb61c1323-e83a-4b97-b237-dab2c948a31b.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs43d74f53-9f06-4e8d-89e5-50e797f6989c.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs5193a205-fcc3-4a49-8113-e6739b59b018.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs8692911e-ca43-4aa5-9712-432f928cb901.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf7978e60-2391-4646-ac89-1f1d2073c8d3.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs3fcbaa6f-c8ce-4aee-87ad-3469f5a88410.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs08ad0952-c0af-4895-b1b5-863655cca614.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs43563b7b-74d5-4e91-b5af-146cc656250d.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs998f5a72-59b7-4d2d-bd50-594b190883ed.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa6cbec10-978b-4ff0-8f42-23fc13b92c3b.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf4f9f04f-8dda-43f1-8ff9-caf3c7df2cd2.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs565ca92d-62c4-42d2-92cd-3624e08f4c25.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs0a6ef264-339e-4b3e-8ac0-2c40298aaee5.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc92ecc4d-e53c-460c-a17f-e57f1ca6050b.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs5d631d37-0a20-4694-8bcc-9c5d29dc1bec.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsbe9a4272-176a-4346-b91f-63544d89fcdb.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs38a2185d-9fb3-43fd-8ef5-f3e04c51ca53.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7e952fa4-c3c2-4156-a523-aefe48fbfffa.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs417da523-9b6d-4a10-a3ab-8f588ded6617.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs9f015843-665c-4463-aa80-5496771be6a6.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs1d9cfb7b-baff-4d0a-adc7-6fe97ab487ca.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsb855113d-ab3c-4e23-9341-ec87c990b398.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs73c4539a-7b3a-496c-a8c1-ce993f80f5f7.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs55851a1f-cb5e-4adf-9e3d-d658e577e2bb.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs9bbdb7c6-1e02-429b-834a-44978f3011dd.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7a710521-e4fd-4cf6-b8c4-fc2015b1cf2b.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf91d792a-cf58-4ccb-9409-f8b6452216ba.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs3583e666-e6c9-4586-be14-364cfc33ab76.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs67bbb5b7-1fae-4094-bf76-984c7fb173d9.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs9b2b9e80-0011-4235-a4ee-c7ed8c368db1.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsae208f12-4c4a-4bd6-b39f-81d2e7880674.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsf99c3977-a976-416f-82aa-dbf1a50d58ba.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs36cf34b2-60cf-4c2e-82d4-0d9294c4c7ef.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa27a1c39-54c5-4bc5-8b48-d956f12e0597.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs71f6571e-5a89-41e7-941e-76667449a43a.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs7ec62cc2-6224-4d41-be94-02eea4ed6dc7.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs1d06931b-a465-40f5-9ee3-a480f7b2651c.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs29b29136-82ad-4c58-bb6a-8cd5c33627e7.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs3d59fb5f-56b1-45b6-83ec-37d64e9bde9f.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsfeca3b01-1cf1-4ca5-ab0e-9c980d70cb5c.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc96ddc5f-3de9-49c6-86db-3f1286b35fa3.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs63e9c867-2805-4f85-9b95-8d2cddb0d0d6.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc04db985-363b-4998-b087-422dea13768f.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs4b1cf7e1-1efc-4a3b-a4e9-1f1957d98752.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs63b5c8a8-88b1-4a3d-b84e-4844c3a4dffa.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsee5176c9-d21c-44cd-85cb-1a0bdf2b2f70.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs323677c5-2d1c-4d09-bca3-aae9f0926281.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs189f9ae6-f0a3-4607-b0df-135b6b112b9b.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs8b153cb3-ed99-4384-b05f-fa00c03b450f.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs955be967-90e7-4a0c-9edb-2bfcfe5bea47.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs2668b513-946b-4927-a8b4-e534e19d4435.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc88dc713-e2e7-43ca-bbd0-f0fefb0cd7fd.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs91ec05fb-4f3c-4b59-8e89-a526b34a2c0c.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscse027be81-418a-4410-81ec-cda153bdb5e4.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs3ab49109-446f-481c-9432-61fc123b1afd.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsbc3027ea-3f9a-44a3-8cc7-ce313b7eacc3.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs78edb3c9-6c5f-4ebf-bdc5-9d018bde879e.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc2049ad5-68fa-4080-b753-0e5ca0af8fa3.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa3a74b44-b2e4-45bf-9a8d-8a67d20f881f.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs45754072-6cd1-4dc3-81e3-ee6d6e658900.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs0e8e8a7d-e120-4243-8dde-71395d058442.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs2b0a0019-c507-47e7-b1b7-2a414e80c512.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscse1a67301-b292-4b5f-9e9d-c05b0911b664.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs177236db-d28b-4861-94c2-e8ee178af3ad.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs83599491-5f20-4047-91e8-624ded5b5318.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs710b35b5-7d56-4232-b95f-cef0078129c0.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs99430a70-6655-44ef-8e76-177aa1247757.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsb54eadb6-e731-4cab-b122-65cd601aed92.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsbdc50348-7950-4f6b-9101-e2ab827c2a4d.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs401a71af-c544-479b-a95d-b3552f0c226f.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs0c5c2a7d-e277-4ba4-8687-e0d335800cc4.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsc89d1c02-7562-4f2e-9cc1-1137d8a671a1.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs43e15090-3344-470f-b644-1741da9ed13c.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs4d91a46e-d94d-47bf-8591-f578d79fe1a7.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa46edebe-29c1-4664-9b7a-8bfe4235e350.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsd108bb1f-c8b6-4905-a6d1-a5275352b42b.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsbd8dad19-8615-4b9f-a5b4-a1d27e4cd5b8.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsee845794-794f-4108-ac25-e998cbb1c94a.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs4a0de9d7-11cb-4bef-bd23-18bb93a553a9.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs4b283c6a-f614-4cc0-bd1b-bb8791b52d99.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa803e7e7-a3bf-408b-b68f-f172aeef7259.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscsa6cfb3ca-464a-4e2b-ace1-20f4ff4b52c3.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs86f87f6d-939b-49f2-b50a-fe80407cfa4f.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscscefcd7c0-a756-4083-928e-2b5e262977e6.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs6276f0b8-b6e4-4a2b-aa69-89b43fe2075d.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs9cd05423-cb6b-419b-9056-feb82de6c7e9.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\all users\application data\webroot\spy sweeper\temp\sscs05fb6193-a7f8-4ee8-90fd-b5d1f2ebc2de.tmp". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\administrator\ntuser.dat". The process cannot access the file because it is being used by another process
4:09 PM: Warning: Failed to open file "c:\documents and settings\administrator\ntuser.dat.log". The process cannot access the file because it is being used by another process
4:09 PM: glf44glf44.exe (ID = 166444)
4:09 PM: tsinstall_4_0_3_8_b17.exe (ID = 78267)
4:09 PM: tsupdate_4_0_3_9_b2.exe (ID = 78281)
4:09 PM: glf60glf60.exe (ID = 78276)
4:10 PM: Warning: Failed to open file "c:\documents and settings\administrator\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
4:10 PM: Warning: Failed to open file "c:\documents and settings\administrator\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
4:10 PM: glf316glf316.exe (ID = 78276)
4:10 PM: appwrap[1].exe (ID = 65721)
4:10 PM: appwrap[1].exe (ID = 65722)
4:10 PM: Warning: Failed to open file "c:\windows\msresearch.exe". Access is denied
4:12 PM: Found Adware: purityscan
4:12 PM: a0018643.inf (ID = 73158)
4:13 PM: Warning: Unhandled Archive Type
4:13 PM: backup.zip (ID = 163672)
4:13 PM: File Sweep Complete, Elapsed Time: 00:10:16
4:13 PM: Full Sweep has completed. Elapsed time 00:16:40
4:13 PM: Traces Found: 160
4:13 PM: Removal process initiated
4:14 PM: Quarantining All Traces: elitebar
4:14 PM: Quarantining All Traces: look2me
4:14 PM: Quarantining All Traces: purityscan
4:14 PM: Quarantining All Traces: effective-i toolbar
4:14 PM: Quarantining All Traces: findthewebsiteyouneed hijacker
4:14 PM: Quarantining All Traces: icannnews
4:14 PM: icannnews is in use. It will be removed on reboot.
4:14 PM: C:\WINNT\system32\k2lq0c35ef.dll is in use. It will be removed on reboot.
4:14 PM: C:\WINNT\system32\mmdart32.dll is in use. It will be removed on reboot.
4:14 PM: C:\WINNT\system32\guard.tmp is in use. It will be removed on reboot.
4:14 PM: Quarantining All Traces: multidial
4:14 PM: Quarantining All Traces: targetsaver
4:14 PM: Quarantining All Traces: targetsoft
4:14 PM: Quarantining All Traces: the818search-co.com hijack
4:14 PM: Quarantining All Traces: abcsearch cookie
4:15 PM: Quarantining All Traces: adecn cookie
4:15 PM: Quarantining All Traces: adknowledge cookie
4:15 PM: Quarantining All Traces: adprofile cookie
4:15 PM: Quarantining All Traces: adserver cookie
4:15 PM: Quarantining All Traces: advertising cookie
4:15 PM: Quarantining All Traces: atlas dmt cookie
4:15 PM: Quarantining All Traces: azjmp cookie
4:15 PM: Quarantining All Traces: belnk cookie
4:15 PM: Quarantining All Traces: centrport net cookie
4:15 PM: Quarantining All Traces: empnads cookie
4:15 PM: Quarantining All Traces: falkag cookie
4:15 PM: Quarantining All Traces: fastclick cookie
4:15 PM: Quarantining All Traces: findthewebsiteyouneed cookie
4:15 PM: Quarantining All Traces: linksynergy cookie
4:15 PM: Quarantining All Traces: overture cookie
4:15 PM: Quarantining All Traces: paypopup cookie
4:15 PM: Quarantining All Traces: realmedia cookie
4:15 PM: Quarantining All Traces: realtracker cookie
4:15 PM: Quarantining All Traces: reliablestats cookie
4:15 PM: Quarantining All Traces: revenue.net cookie
4:15 PM: Quarantining All Traces: rn11 cookie
4:15 PM: Quarantining All Traces: servedby advertising cookie
4:15 PM: Quarantining All Traces: starware.com cookie
4:15 PM: Quarantining All Traces: targetnet cookie
4:15 PM: Quarantining All Traces: upspiral cookie
4:15 PM: Quarantining All Traces: yieldmanager cookie
4:15 PM: Quarantining All Traces: zedo cookie
4:15 PM: Preparing to restart your computer. Please wait...
4:15 PM: Removal process completed. Elapsed time 00:01:46
4:22 PM: Sent error log: C:\Documents and Settings\Administrator\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
********
3:42 PM: | Start of Session, Tuesday, November 01, 2005 |
3:42 PM: Spy Sweeper started
3:45 PM: Warning: TDefFileIO.CompressAndEncrypt: Converting to LZMA Exception: Out of memory
3:45 PM: Error: Out of memory.
3:45 PM: Updating spyware definitions
3:47 PM: Deleted error log without sending: C:\Documents and Settings\Administrator\Application Data\Webroot\Spy Sweeper\Logs\bugreport.txt
3:47 PM: Updating spyware definitions
3:47 PM: Warning: TDefFileIO.CompressAndEncrypt: Converting to LZMA Exception: Out of memory
3:49 PM: Updating spyware definitions
3:50 PM: Updating spyware definitions
3:50 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:50 PM: Updating spyware definitions
3:50 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:50 PM: Updating spyware definitions
3:50 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:50 PM: Updating spyware definitions
3:50 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:50 PM: Updating spyware definitions
3:50 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:51 PM: Updating spyware definitions
3:51 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:51 PM: Updating spyware definitions
3:51 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:51 PM: Updating spyware definitions
3:51 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:51 PM: Updating spyware definitions
3:51 PM: Warning: TDefFileIO.CompressAndEncrypt: Converting to LZMA Exception: Out of memory
3:51 PM: Error: Out of memory.
3:51 PM: Updating spyware definitions
3:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:54 PM: Your spyware definitions have been updated.
3:55 PM: Processing Startup Alerts
3:55 PM: Removed Startup entry: System service78
3:56 PM: | End of Session, Tuesday, November 01, 2005 |


and here's the log for HJT:

Logfile of HijackThis v1.99.1
Scan saved at 4:26:25 PM, on 11/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\dlhost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\jacob\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\System32\iexplore.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] csrssv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ruww] C:\PROGRA~1\COMMON~1\ruww\ruwwm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130713516917
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINNT\dlhost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINNT\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

Thanks :tazz:
there is probably more bad stuff, and I am here all day :)
  • 0

#12
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Jakow.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.

After that open Hijackthis, Scan, and place a checkmark by the following entries:

O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\System32\iexplore.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] csrssv.exe
O4 - HKCU\..\Run: [ruww] C:\PROGRA~1\COMMON~1\ruww\ruwwm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINNT\dlhost.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINNT\System32\wins\DLLHOST.EXE (file missing)


Close ALL Open Windows/Browsers and click Fix Checked.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please do a search for csrssv.exe and delete all files found. Be VERY careful not to delete csrss.exe which is a legit windows file.
(Start > Search > For Files or Folders)

4) Run Killbox.

5) Select "Delete on Reboot".

6) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\System32\iexplore.exe
C:\Program Files\Common Files\ruww\ruwwm.exe
C:\WINNT\dlhost.exe
C:\WINNT\System32\wins\DLLHOST.EXE


7) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

8) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Please post back the log from L2MFix, and a new Hijackthis log.
  • 0

#13
Jakow

Jakow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok so i'm giving you those three logs...
but first, I've gotta say that in safe mode I could not find the csrssv.exe file to delete, is it a hidden file? if so, I can set it up so I can see those..
oh and i don't think i could delete the dlhost and the dllhost things in killbox, I was also unable to paste from clipboard...
so anyways.. here they are...

1) the l2mfix one that finally worked


C:\
Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 428 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\k444lehq1h4e.dll
1 file(s) copied.
deleting: C:\WINNT\system32\k444lehq1h4e.dll
Successfully Deleted: C:\WINNT\system32\k444lehq1h4e.dll

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: k444lehq1h4e.dll (deflated 4%)
adding: clear.reg (deflated 37%)
adding: desktop.ini (stored 0%)
adding: lo2.txt (deflated 52%)
adding: test2.txt (deflated 18%)
adding: test3.txt (deflated 18%)
adding: test5.txt (deflated 18%)
adding: test.txt (stored 0%)
adding: xfind.txt (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: k444lehq1h4e.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINNT\system32\k444lehq1h4e.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{3E4EDE89-5764-4784-9530-83B1B7CE05BD}"=-
"{13A8D01D-E89A-4B86-9E64-970ED438594C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{3E4EDE89-5764-4784-9530-83B1B7CE05BD}]
[-HKEY_CLASSES_ROOT\CLSID\{13A8D01D-E89A-4B86-9E64-970ED438594C}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************



2) the HJT log that came after this...

Logfile of HijackThis v1.99.1
Scan saved at 6:21:49 PM, on 11/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\dlhost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
D:\jacob\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\System32\iexplore.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] csrssv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ruww] C:\PROGRA~1\COMMON~1\ruww\ruwwm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130713516917
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINNT\dlhost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINNT\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

3) and finally the newest HJT log :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 6:51:25 PM, on 11/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\jacob\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130713516917
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINNT\dlhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINNT\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe


thankyou
  • 0

#14
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Jakow.

Please go to Start > Run, then type cmd and hit enter.

type sc stop RpcPatch

type sc delete RpcPatch

type sc stop DLHOST

type sc delete DLHOST

Please Show Hidden Files and Folders

Not all of these will be here.

Find and delete the following files/folders:

C:\WINNT\System32\iexplore.exe
C:\Program Files\Common Files\ruww
C:\WINNT\dlhost.exe
C:\WINNT\System32\wins\DLLHOST.EXE
Search for and delete csrssv.exe Do NOT delete the legit file, csrss.exe

If you can't delete these in normal mode, please boot to safe mode and do it.

Please post back a fresh Hijackthis log after this.
  • 0

#15
Jakow

Jakow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Yo OwNt,

I could not do all of that stuff you told me, as far as I could go was.. deleting the ruww.
When I searched for the iexplore and dlhost and csrssv, it said there were no such files. When I searched for DLLHOST, however, I found a DLLHOST but it was not in the /wins folder. I did not delete it because it might be important.
Also, When I tried to go into the cmd thing it said that "sc" was not a good command or something, and when I tried without the sc, it said that delete was not a good command either.

Other than that, I cannot find any more problems, only minor ones with Zonealarm and it's stupidity towards msn messenger. My computer has become exceptionally faster since the problems and the download times aren't 40 to 60 kb/s and now around normal from 100 to 400 kb/s.
Thank you so much!

Adios,
Jakow :tazz:

EDIT:
adding the logfile for right now :)

Logfile of HijackThis v1.99.1
Scan saved at 12:09:53 AM, on 11/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\jacob\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130713516917
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINNT\dlhost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINNT\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

Edited by Jakow, 02 November 2005 - 02:10 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP