Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware.Look2me [RESOLVED]


  • This topic is locked This topic is locked

#1
Tiyok

Tiyok

    Member

  • Member
  • PipPip
  • 28 posts
Please help me. I've scanned my PC with Ewido and Ad-aware with latest definition files. But this annoying Spyware.Look2me is still exist. This is my HJT logs.

Logfile of HijackThis v1.99.1
Scan saved at 16:41:18, on 25/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msgserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\lsswin.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Opera\opera.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\lentera nuansa\My Documents\Tiyok\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O4 - HKLM\..\Run: [lsswin.exe] C:\WINDOWS\System32\lsswin.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\Software\..\Telephony: DomainName = telkom
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0553B3A-2378-4681-B68F-C767321AF61B}: NameServer = 202.134.0.155 202.134.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = telkom
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Usb - C:\WINDOWS\system32\en68l1ju1.dll (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: JRun Service Manager (jsm-default) - Unknown owner - C:\Program Files\Macromedia\Generator 2\bin\jsm.exe
O23 - Service: Informix Dynamic Server Message Service (MsgServ) - Unknown owner - C:\WINDOWS\System32\msgserv.exe
O23 - Service: Windows Update 64 (nbupd64) - Unknown owner - C:\WINDOWS\System32\nbupd64.exe" -netsvcs (file missing)
O23 - Service: ISM Server (nsrd) - Unknown owner - C:\ISM\2.20\bin\nsrd (file missing)
O23 - Service: ISM Local Execution (nsrexecd) - Unknown owner - C:\ISM\2.20\bin\nsrexecd (file missing)
O23 - Service: Informix IDS - ol_desknote (ol_desknote) - Unknown owner - C:\PROGRA~1\Informix\bin\onscpah.exe
O23 - Service: ISM Portmapper (portmap) - Unknown owner - C:\ISM\2.20\bin\portmap (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

:tazz:
  • 0

Advertisements


#2
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello and welcome to GeeksToGo!

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijackthis log in this thread.

If you have resolved this issue please let us know.
  • 0

#3
Tiyok

Tiyok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
this is my fresh hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 17:03:18, on 25/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msgserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\lsswin.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Opera\opera.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\lentera nuansa\My Documents\Tiyok\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\regedit.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O4 - HKLM\..\Run: [lsswin.exe] C:\WINDOWS\System32\lsswin.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\Software\..\Telephony: DomainName = telkom
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0553B3A-2378-4681-B68F-C767321AF61B}: NameServer = 202.134.0.155 202.134.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = telkom
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Usb - C:\WINDOWS\system32\en68l1ju1.dll (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: JRun Service Manager (jsm-default) - Unknown owner - C:\Program Files\Macromedia\Generator 2\bin\jsm.exe
O23 - Service: Informix Dynamic Server Message Service (MsgServ) - Unknown owner - C:\WINDOWS\System32\msgserv.exe
O23 - Service: Windows Update 64 (nbupd64) - Unknown owner - C:\WINDOWS\System32\nbupd64.exe" -netsvcs (file missing)
O23 - Service: ISM Server (nsrd) - Unknown owner - C:\ISM\2.20\bin\nsrd (file missing)
O23 - Service: ISM Local Execution (nsrexecd) - Unknown owner - C:\ISM\2.20\bin\nsrexecd (file missing)
O23 - Service: Informix IDS - ol_desknote (ol_desknote) - Unknown owner - C:\PROGRA~1\Informix\bin\onscpah.exe
O23 - Service: ISM Portmapper (portmap) - Unknown owner - C:\ISM\2.20\bin\portmap (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • 0

#4
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Tiyok.

Please open Hijackthis, scan, and place a checkmark by the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [lsswin.exe] C:\WINDOWS\System32\lsswin.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O20 - Winlogon Notify: Usb - C:\WINDOWS\system32\en68l1ju1.dll (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing


Close ALL open windows/browsers and click Fix Checked.

Exit Hijackthis.

Please reboot into Safe Mode by tapping F8 as your computer starts up. Select safe mode from the list that appears.

Once in safe mode please delete the following files/folders:

C:\WINDOWS\System32\lsswin.exe
C:\Program Files\SurfAccuracy

Reboot into normal mode.

Then please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back a fresh Hijackthis log, and the log from Kaspersky.
  • 0

#5
Tiyok

Tiyok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
do you have another option beside that kaspersky online scanning? my internet connection is very slow. and i'm using opera as my browser. the kaspersky online need IE. there is no respond when i click kaspersky online scanning using IE.
  • 0

#6
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Tiyok.

Let's try Housecall

Trend-Micro Housecall Scan
  • Please go HERE to run Housecall.
  • Note: you must use Internet Explorer, other browsers will not work.
  • Under "Scan your PC", please click Scan now. It's free!
  • Select your location and click the Go button.
  • Click the red magnifying glass button.
  • Select Complete Scan.
  • Please be patient while Housecall downloads.
  • Please allow the ActiveX Control and when prompted click install
  • Put a check next to My Computer
  • Leave the following checked:
    • Scan for Spyware
      Check security vulnerabilities
  • Click the Next button.
  • It will download the latest scan engine and pattern files.
  • When the definitions have been downloaded, the scan will start.
  • After it's done scanning it will take you to the summary page.
  • Click the Next button.
  • Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.
  • Click the Next button to move onto the recovery (final) portion of the scan.
  • After everything has been removed, please click the show button on everything.
  • Highlight all the of text and press CTRL + C to copy the text.
  • Please post the contents into your next reply.

  • 0

#7
Tiyok

Tiyok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
it didnt respond when i click Start Free Scan Now using IE. I think my IE has problems too. do you have any other methods that not using IE? it's only OPERA that works normally in this computer.
  • 0

#8
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello Tiyok,

Try repairing internet explorer Here.
  • 0

#9
Tiyok

Tiyok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
i did the 2 methods to repair my IE. But i still cant do online scanning (nothing happened when i click Free Scan on both Kaspersky and HouseCall). So i downloaded the free software they offered (kaspersky anti virus personal security suit and TrendMicro Spyware Scanner) and did local scanning (and fix problems or delete whatever threats it found). I also installed and using Spybot to check and immunize.
Now there's no pop up when i connect to internet. But still when i log in to this computer, Ewido detects Spyware.Look2me and i have to click CLEAN several times before i can use this computer. I did FixL2me from Symantec but it didn't find the virus.
Here is my fresh HJT log : :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:45, on 29/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lentera nuansa\My Documents\Tiyok\hijackthis\HijackThis.exe

F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\Software\..\Telephony: DomainName = telkom
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0553B3A-2378-4681-B68F-C767321AF61B}: NameServer = 202.134.0.155 202.134.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = telkom
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\ir60l5jm1.dll
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\pdlstore.dll (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: JRun Service Manager (jsm-default) - Unknown owner - C:\Program Files\Macromedia\Generator 2\bin\jsm.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe (file missing)
O23 - Service: Informix Dynamic Server Message Service (MsgServ) - Unknown owner - C:\WINDOWS\System32\msgserv.exe (file missing)
O23 - Service: Windows Update 64 (nbupd64) - Unknown owner - C:\WINDOWS\System32\nbupd64.exe" -netsvcs (file missing)
O23 - Service: ISM Server (nsrd) - Unknown owner - C:\ISM\2.20\bin\nsrd (file missing)
O23 - Service: ISM Local Execution (nsrexecd) - Unknown owner - C:\ISM\2.20\bin\nsrexecd (file missing)
O23 - Service: Informix IDS - ol_desknote (ol_desknote) - Unknown owner - C:\PROGRA~1\Informix\bin\onscpah.exe
O23 - Service: ISM Portmapper (portmap) - Unknown owner - C:\ISM\2.20\bin\portmap (file missing)
  • 0

#10
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Tiyok.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.downloads....org/l2mfix.exe
http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

if you receive, while running option #2, an error similar like: ''C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
  • 0

Advertisements


#11
Tiyok

Tiyok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
i did what u told me 2 do. after reboot ewido didnt warn me again. here is my hjt log and l2mfix log.

Logfile of HijackThis v1.99.1
Scan saved at 13:48:52, on 29/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\lentera nuansa\My Documents\Tiyok\hijackthis\HijackThis.exe

F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\Software\..\Telephony: DomainName = telkom
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0553B3A-2378-4681-B68F-C767321AF61B}: NameServer = 202.134.0.155 202.134.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = telkom
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\k0jsla171d.dll (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\pdlstore.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: JRun Service Manager (jsm-default) - Unknown owner - C:\Program Files\Macromedia\Generator 2\bin\jsm.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe (file missing)
O23 - Service: Informix Dynamic Server Message Service (MsgServ) - Unknown owner - C:\WINDOWS\System32\msgserv.exe (file missing)
O23 - Service: Windows Update 64 (nbupd64) - Unknown owner - C:\WINDOWS\System32\nbupd64.exe" -netsvcs (file missing)
O23 - Service: ISM Server (nsrd) - Unknown owner - C:\ISM\2.20\bin\nsrd (file missing)
O23 - Service: ISM Local Execution (nsrexecd) - Unknown owner - C:\ISM\2.20\bin\nsrexecd (file missing)
O23 - Service: Informix IDS - ol_desknote (ol_desknote) - Unknown owner - C:\PROGRA~1\Informix\bin\onscpah.exe
O23 - Service: ISM Portmapper (portmap) - Unknown owner - C:\ISM\2.20\bin\portmap (file missing)

L2mfix Beta 112705
Creating Account.
The account already exists.

More help is available by typing NET HELPMSG 2224.

Adding Administrative privleges.
System error 1378 has occurred.

The specified account name is already a member of the local group.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 624 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 776 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 288 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ctmuid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\FG20ENU.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0jsla171d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv84l9lq1.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\ctmuid.dll
Successfully Deleted: C:\WINDOWS\system32\ctmuid.dll
deleting: C:\WINDOWS\system32\FG20ENU.DLL
Successfully Deleted: C:\WINDOWS\system32\FG20ENU.DLL
deleting: C:\WINDOWS\system32\k0jsla171d.dll
Successfully Deleted: C:\WINDOWS\system32\k0jsla171d.dll
deleting: C:\WINDOWS\system32\mv84l9lq1.dll
Successfully Deleted: C:\WINDOWS\system32\mv84l9lq1.dll


Zipping up files for submission:
zip warning: name not matched: guard.tmp

zip error: Nothing to do! (backup.zip)
adding: Documents and Settings/lentera nuansa/Desktop/l2mfix/backregs/8B19254A-ADA3-49D5-9449-90B0079D401B.reg (164 bytes security) (deflated 70%)
adding: Documents and Settings/lentera nuansa/Desktop/l2mfix/backregs/A287120F-8767-4969-9ECD-7FE9DF36D455.reg (164 bytes security) (deflated 70%)
adding: Documents and Settings/lentera nuansa/Desktop/l2mfix/backregs/BC31646B-693D-43E8-80A5-15D5C39B67F4.reg (164 bytes security) (deflated 70%)
adding: Documents and Settings/lentera nuansa/Desktop/l2mfix/backregs/F0FFD0EB-0FD1-4036-85D6-5A4588045447.reg (164 bytes security) (deflated 70%)
adding: Documents and Settings/lentera nuansa/Desktop/l2mfix/backregs/F760DBB1-41FE-48BF-90D2-2B8F6AF7DFBF.reg (164 bytes security) (deflated 70%)
adding: Documents and Settings/lentera nuansa/Desktop/l2mfix/backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: Documents and Settings/lentera nuansa/Desktop/l2mfix/backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: ctmuid.dll
deleting local copy: FG20ENU.DLL
deleting local copy: k0jsla171d.dll
deleting local copy: mv84l9lq1.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\k0jsla171d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\pdlstore.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ctmuid.dll
C:\WINDOWS\system32\FG20ENU.DLL
C:\WINDOWS\system32\k0jsla171d.dll
C:\WINDOWS\system32\mv84l9lq1.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F0FFD0EB-0FD1-4036-85D6-5A4588045447}"=-
"{BC31646B-693D-43E8-80A5-15D5C39B67F4}"=-
"{8B19254A-ADA3-49D5-9449-90B0079D401B}"=-
"{F760DBB1-41FE-48BF-90D2-2B8F6AF7DFBF}"=-
"{A287120F-8767-4969-9ECD-7FE9DF36D455}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F0FFD0EB-0FD1-4036-85D6-5A4588045447}]
[-HKEY_CLASSES_ROOT\CLSID\{BC31646B-693D-43E8-80A5-15D5C39B67F4}]
[-HKEY_CLASSES_ROOT\CLSID\{8B19254A-ADA3-49D5-9449-90B0079D401B}]
[-HKEY_CLASSES_ROOT\CLSID\{F760DBB1-41FE-48BF-90D2-2B8F6AF7DFBF}]
[-HKEY_CLASSES_ROOT\CLSID\{A287120F-8767-4969-9ECD-7FE9DF36D455}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
adding: dlls/ctmuid.dll (164 bytes security) (deflated 4%)
adding: dlls/FG20ENU.DLL (164 bytes security) (deflated 5%)
adding: dlls/k0jsla171d.dll (164 bytes security) (deflated 4%)
adding: dlls/mv84l9lq1.dll (164 bytes security) (deflated 5%)

is it free now ?
  • 0

#12
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Tiyok.

Please open Hijackthis, scan, and place a checkmark by the following entries:

O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\k0jsla171d.dll (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\pdlstore.dll (file missing)
O23 - Service: Windows Update 64 (nbupd64) - Unknown owner - C:\WINDOWS\System32\nbupd64.exe" -netsvcs (file missing)


Close all open windows/browsers and click Fix Checked.

Exit Hijackthis.

Please run a virus scan at Kaspersky.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Reboot and post the log from Kaspersky and a fresh Hijackthis log.
  • 0

#13
Tiyok

Tiyok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Logfile of HijackThis v1.99.1
Scan saved at 14:44:20, on 01/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\lentera nuansa\My Documents\Tiyok\hijackthis\HijackThis.exe

F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\Software\..\Telephony: DomainName = telkom
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0553B3A-2378-4681-B68F-C767321AF61B}: NameServer = 202.134.0.155 202.134.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = telkom
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: JRun Service Manager (jsm-default) - Unknown owner - C:\Program Files\Macromedia\Generator 2\bin\jsm.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe (file missing)
O23 - Service: Informix Dynamic Server Message Service (MsgServ) - Unknown owner - C:\WINDOWS\System32\msgserv.exe (file missing)
O23 - Service: Windows Update 64 (nbupd64) - Unknown owner - C:\WINDOWS\System32\nbupd64.exe" -netsvcs (file missing)
O23 - Service: ISM Server (nsrd) - Unknown owner - C:\ISM\2.20\bin\nsrd (file missing)
O23 - Service: ISM Local Execution (nsrexecd) - Unknown owner - C:\ISM\2.20\bin\nsrexecd (file missing)
O23 - Service: Informix IDS - ol_desknote (ol_desknote) - Unknown owner - C:\PROGRA~1\Informix\bin\onscpah.exe
O23 - Service: ISM Portmapper (portmap) - Unknown owner - C:\ISM\2.20\bin\portmap (file missing)


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 01, 2005 14:34:48
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/12/2005
Kaspersky Anti-Virus database records: 162545
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 91795
Number of viruses found: 16
Number of infected objects: 100
Number of suspicious objects: 0
Duration of the scan process: 6907 sec

Infected Object Name - Virus Name
C:\Documents and Settings\lentera nuansa\Desktop\l2mfix\backup.zip/dlls/ctmuid.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\lentera nuansa\Desktop\l2mfix\backup.zip/dlls/FG20ENU.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\lentera nuansa\Desktop\l2mfix\backup.zip/dlls/k0jsla171d.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\lentera nuansa\Desktop\l2mfix\backup.zip/dlls/mv84l9lq1.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\lentera nuansa\Desktop\l2mfix\backup.zip Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\lentera nuansa\Desktop\l2mfix\dlls\ctmuid.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\lentera nuansa\Desktop\l2mfix\dlls\FG20ENU.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\lentera nuansa\Desktop\l2mfix\dlls\k0jsla171d.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\lentera nuansa\Desktop\l2mfix\dlls\mv84l9lq1.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@yahoo.co.uk][Date Thu, 24 Nov 2005 05:35:13 UTC]/UNNAMED/downloadm.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@yahoo.co.uk][Date Thu, 24 Nov 2005 05:35:13 UTC]/UNNAMED/downloadm.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@yahoo.co.uk][Date Thu, 24 Nov 2005 05:35:13 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@hotmail.com][Date Fri, 25 Nov 2005 00:47:30 GMT]/UNNAMED/downloadm.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@hotmail.com][Date Fri, 25 Nov 2005 00:47:30 GMT]/UNNAMED/downloadm.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@hotmail.com][Date Fri, 25 Nov 2005 00:47:30 GMT]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Admin@fbi.gov][Date Fri, 25 Nov 2005 01:53:18 UTC]/UNNAMED/question_list.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Admin@fbi.gov][Date Fri, 25 Nov 2005 01:53:18 UTC]/UNNAMED/question_list.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Admin@fbi.gov][Date Fri, 25 Nov 2005 01:53:18 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Mail@cia.gov][Date Fri, 25 Nov 2005 01:49:10 UTC]/UNNAMED/question_list.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Mail@cia.gov][Date Fri, 25 Nov 2005 01:49:10 UTC]/UNNAMED/question_list.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Mail@cia.gov][Date Fri, 25 Nov 2005 01:49:10 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From indra-tecc@telkom.net][Date Fri, 25 Nov 2005 01:27:55 UTC]/UNNAMED/mailtext.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From indra-tecc@telkom.net][Date Fri, 25 Nov 2005 01:27:55 UTC]/UNNAMED/mailtext.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From indra-tecc@telkom.net][Date Fri, 25 Nov 2005 01:27:55 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Department@fbi.gov][Date Fri, 25 Nov 2005 02:23:07 UTC]/UNNAMED/question_list.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Department@fbi.gov][Date Fri, 25 Nov 2005 02:23:07 UTC]/UNNAMED/question_list.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Department@fbi.gov][Date Fri, 25 Nov 2005 02:23:07 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@mail.ips.es][Date Fri, 25 Nov 2005 05:55:36 UTC]/UNNAMED/mail.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@mail.ips.es][Date Fri, 25 Nov 2005 05:55:36 UTC]/UNNAMED/mail.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@mail.ips.es][Date Fri, 25 Nov 2005 05:55:36 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From postmaster@correo.com.uy][Date Fri, 25 Nov 2005 06:50:31 UTC]/UNNAMED/mail.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From postmaster@correo.com.uy][Date Fri, 25 Nov 2005 06:50:31 UTC]/UNNAMED/mail.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From postmaster@correo.com.uy][Date Fri, 25 Nov 2005 06:50:31 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Post@fbi.gov][Date Fri, 25 Nov 2005 08:57:52 UTC]/UNNAMED/list379.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Post@fbi.gov][Date Fri, 25 Nov 2005 08:57:52 UTC]/UNNAMED/list379.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Post@fbi.gov][Date Fri, 25 Nov 2005 08:57:52 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From postmaster@yahoo.com][Date Thu, 24 Nov 2005 00:35:55 UTC]/UNNAMED/downloadm.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From postmaster@yahoo.com][Date Thu, 24 Nov 2005 00:35:55 UTC]/UNNAMED/downloadm.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From postmaster@yahoo.com][Date Thu, 24 Nov 2005 00:35:55 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From hostmaster@blog.indosiar.com][Date Wed, 23 Nov 2005 10:22:19 UTC]/UNNAMED/reg_pass-data.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From hostmaster@blog.indosiar.com][Date Wed, 23 Nov 2005 10:22:19 UTC]/UNNAMED/reg_pass-data.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From hostmaster@blog.indosiar.com][Date Wed, 23 Nov 2005 10:22:19 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@yahoo.co.uk][Date Thu, 24 Nov 2005 05:35:13 UTC]/UNNAMED/downloadm.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@yahoo.co.uk][Date Thu, 24 Nov 2005 05:35:13 UTC]/UNNAMED/downloadm.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@yahoo.co.uk][Date Thu, 24 Nov 2005 05:35:13 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@hotmail.com][Date Fri, 25 Nov 2005 00:47:30 GMT]/UNNAMED/downloadm.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@hotmail.com][Date Fri, 25 Nov 2005 00:47:30 GMT]/UNNAMED/downloadm.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From office@hotmail.com][Date Fri, 25 Nov 2005 00:47:30 GMT]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Admin@fbi.gov][Date Fri, 25 Nov 2005 01:53:18 UTC]/UNNAMED/question_list.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Admin@fbi.gov][Date Fri, 25 Nov 2005 01:53:18 UTC]/UNNAMED/question_list.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From Admin@fbi.gov][Date Fri, 25 Nov 2005 01:53:18 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From hostmaster@blog.indosiar.com][Date Wed, 23 Nov 2005 10:22:19 UTC]/UNNAMED/reg_pass-data.zip/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From hostmaster@blog.indosiar.com][Date Wed, 23 Nov 2005 10:22:19 UTC]/UNNAMED/reg_pass-data.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx/[From hostmaster@blog.indosiar.com][Date Wed, 23 Nov 2005 10:22:19 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{5E34EEC8-E7FE-405D-9054-208B0DEF5A25}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{C7FF2983-EB30-41EF-B366-84041FA944C8}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <supprefnum087438131137@ebay.com>][Date Mon, 07 Nov 2005 10:05:36 -0100]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{C7FF2983-EB30-41EF-B366-84041FA944C8}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <supprefnum087438131137@ebay.com>][Date Mon, 07 Nov 2005 10:05:36 -0100]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{C7FF2983-EB30-41EF-B366-84041FA944C8}\Microsoft\Outlook Express\Deleted Items.dbx/[From danto@gratika.co.id][Date Wed, 16 Nov 2005 16:52:41 +0800]/UNNAMED/file.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{C7FF2983-EB30-41EF-B366-84041FA944C8}\Microsoft\Outlook Express\Deleted Items.dbx/[From danto@gratika.co.id][Date Wed, 16 Nov 2005 16:52:41 +0800]/UNNAMED/file.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{C7FF2983-EB30-41EF-B366-84041FA944C8}\Microsoft\Outlook Express\Deleted Items.dbx/[From danto@gratika.co.id][Date Wed, 16 Nov 2005 16:52:41 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\lentera nuansa\Local Settings\Application Data\Identities\{C7FF2983-EB30-41EF-B366-84041FA944C8}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\lentera nuansa\Local Settings\Temp\GLB41.tmp/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e
C:\Documents and Settings\lentera nuansa\Local Settings\Temp\GLB41.tmp Infected: not-a-virus:AdWare.Win32.Ucmore.e
C:\Documents and Settings\lentera nuansa\Local Settings\Temporary Internet Files\Content.IE5\4TKTSFG5\MediaGateway[1].exe Infected: not-a-virus:AdWare.Win32.WinAD.bs
C:\Program Files\Common Files\Download\mc-58-12-0000141.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.l
C:\Program Files\Common Files\InetGet\mc-58-12-0000141.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Program Files\Common Files\mc-58-12-0000141.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\Program Files\Common Files\Windows\mc-58-12-0000141.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Program Files\Opera\download\newretrievefile.cgi/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Program Files\Opera\download\newretrievefile.cgi Infected: Email-Worm.Win32.Sober.y
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-1011\Dc5\Uninstall.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-1011\Dc5\Uninstall.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-1011\Dc5\Uninstall.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\07EA160E/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\07EA160E Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\27665B69/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\27665B69 Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\2A2332C0/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\2A2332C0 Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\401245DB/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\401245DB Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\53001126/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\53001126 Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\601756BF/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\601756BF Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\68A2607D/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\68A2607D Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\711A472B/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\711A472B Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\7B9617A1/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-500\Dc8\Norton Antivirus\Quarantine\7B9617A1 Infected: Email-Worm.Win32.NetSky.q
C:\WINDOWS\hdbyksr.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.s
C:\WINDOWS\system32\3obia8a5.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab
C:\WINDOWS\weirdontheweb_topc.exe/data0002 Infected: not-a-virus:AdWare.Win32.WeirWeb.b
C:\WINDOWS\weirdontheweb_topc.exe Infected: not-a-virus:AdWare.Win32.WeirWeb.b
D:\Musik\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603
D:\data_joniku\joniku\Kump_PSMOP_Smg\dd\data\data D\GOZILLA.EXE/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a
D:\data_joniku\joniku\Kump_PSMOP_Smg\dd\data\data D\GOZILLA.EXE/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a
D:\data_joniku\joniku\Kump_PSMOP_Smg\dd\data\data D\GOZILLA.EXE Infected: not-a-virus:AdWare.Win32.Aureate.a

Scan process completed.
  • 0

#14
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, Tiyok.

Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot".
    • From the main Killbox Window, Select Options>>Delete on Reboot>>Process all in List
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\Documents and Settings\lentera nuansa\Local Settings\Temp\GLB41.tmp
    C:\Documents and Settings\lentera nuansa\Local Settings\Temporary Internet Files\Content.IE5\4TKTSFG5\MediaGateway[1].exe
    C:\Program Files\Common Files\Download\mc-58-12-0000141.exe
    C:\Program Files\Common Files\InetGet\mc-58-12-0000141.exe
    C:\Program Files\Common Files\mc-58-12-0000141.exe
    C:\Program Files\Common Files\Windows\mc-58-12-0000141.exe
    C:\Program Files\Opera\download\newretrievefile.cgiy
    C:\RECYCLER\S-1-5-21-436374069-813497703-854245398-1011\Dc5\Uninstall.exe
    C:\WINDOWS\hdbyksr.exe
    C:\WINDOWS\system32\3obia8a5.ini
    D:\data_joniku\joniku\Kump_PSMOP_Smg\dd\data\data D\GOZILLA.EXE
    C:\WINDOWS\system32\i
    C:\WINDOWS\weirdontheweb_topc.exe



  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

Also, how is your computer running?

Edited by OwNt, 04 December 2005 - 10:44 PM.

  • 0

#15
Tiyok

Tiyok

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello OwNt, i'm sorry if you wait too long. i've got cold for 3 days. I must tell you that in order to be able to do online scanning i've repaired my XP by reinstall it.
After that IE is running normal and i can do online scan. My computer is running "just fine", ewido warns me about Trojan.lowzones.cq in c:\index1.exe, and there is message from Messenger Service :

"Message from SYSTEM to FAILURE on 12/4/2005 10:00..... STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION. Windows has found Critical System Errors.
To fix the errors please do the following :
1. Download Registry Repair from www.reg-patch.com
2. Install Registry Repair
3. Run Registry Repair
4. Reboot your computer
FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!"

I ignored that and downloaded a new Killbox and did what you told me to do. Reboot and the message from the messenger service still show up. Plus there's new error message : "javaw.exe encountered a problem and needed to close."

How is that ? :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:09:12, on 05/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\tellcoma.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\lentera nuansa\My Documents\Tiyok\hijackthis\HijackThis.exe

F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Telecoma Center] tellcoma.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoma Center] tellcoma.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Telecoma Center] tellcoma.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\Software\..\Telephony: DomainName = telkom
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0553B3A-2378-4681-B68F-C767321AF61B}: NameServer = 202.134.0.155 202.134.2.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telkom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = telkom
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: JRun Service Manager (jsm-default) - Unknown owner - C:\Program Files\Macromedia\Generator 2\bin\jsm.exe
O23 - Service: kavsvc - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe (file missing)
O23 - Service: Informix Dynamic Server Message Service (MsgServ) - Unknown owner - C:\WINDOWS\System32\msgserv.exe (file missing)
O23 - Service: Windows Update 64 (nbupd64) - Unknown owner - C:\WINDOWS\System32\nbupd64.exe" -netsvcs (file missing)
O23 - Service: ISM Server (nsrd) - Unknown owner - C:\ISM\2.20\bin\nsrd (file missing)
O23 - Service: ISM Local Execution (nsrexecd) - Unknown owner - C:\ISM\2.20\bin\nsrexecd (file missing)
O23 - Service: Informix IDS - ol_desknote (ol_desknote) - Unknown owner - C:\PROGRA~1\Informix\bin\onscpah.exe
O23 - Service: ISM Portmapper (portmap) - Unknown owner - C:\ISM\2.20\bin\portmap (file missing)


Btw thanks for helping me so far.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP