Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijackthis log file

Started by Paperweight , Feb 20 2006 03:12 PM

  • Please log in to reply

#16
Buckeye_Sam
Posted 25 February 2006 - 08:09 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
As long as you are logged in as admin you only need to do the fixes in one account.

However that last tool did not work. Let's try this one again. The one that you found last time because this link didn't work was not the same tool.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX
  • 0

Advertisements

#17
Paperweight
Posted 26 February 2006 - 06:00 AM

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Done... found over 60 files (and deleted them)... WOW.

In the HJT log I'm pretty suspicious of these guys:
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: ruins - C:\WINDOWS\system32\jtj0071me.dll (file missing)

For the ones that say "(file missing)", can they safely be deleted ? I could be wrong (and often I am)
but since the file is missing, that "entry" isn't doing anything. Am I assuming correctly... or am I
way off. (In other words, "Hey Paperweight, go back to your web surfing and leave the malware to
the professionals")

By the way, I don't have paypal. Is there any other method to contribute ?


*** L2M txt ***


Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 2/26/2006 5:19:22 AM

Infected! C:\WINDOWS\SYSTEM32\azaul9191.dll
Infected! C:\WINDOWS\SYSTEM32\azivtmxx.dll
Infected! C:\WINDOWS\SYSTEM32\dn8801lue.dll
Infected! C:\WINDOWS\SYSTEM32\dnl4013qe.dll
Infected! C:\WINDOWS\SYSTEM32\e002lado1d0c.dll
Infected! C:\WINDOWS\SYSTEM32\e8jm0i11e8.dll
Infected! C:\WINDOWS\SYSTEM32\enpql1751.dll
Infected! C:\WINDOWS\SYSTEM32\f00o0ad3ed0.dll
Infected! C:\WINDOWS\SYSTEM32\f6j20g1oe6.dll
Infected! C:\WINDOWS\SYSTEM32\fp2q03f5e.dll
Infected! C:\WINDOWS\SYSTEM32\fzdrclnr.dll
Infected! C:\WINDOWS\SYSTEM32\gpjml3111.dll
Infected! C:\WINDOWS\SYSTEM32\h6n00g5me6.dll
Infected! C:\WINDOWS\SYSTEM32\hhpertrm.dll
Infected! C:\WINDOWS\SYSTEM32\hrps0577e.dll
Infected! C:\WINDOWS\SYSTEM32\ia41_qcx.dll
Infected! C:\WINDOWS\SYSTEM32\ir00l5dm1.dll
Infected! C:\WINDOWS\SYSTEM32\ir28l5fu1.dll
Infected! C:\WINDOWS\SYSTEM32\ir8ml5l11.dll
Infected! C:\WINDOWS\SYSTEM32\j46m0ej1eho.dll
Infected! C:\WINDOWS\SYSTEM32\jt6m07j1e.dll
Infected! C:\WINDOWS\SYSTEM32\jtj0071me.dll
Infected! C:\WINDOWS\SYSTEM32\jtr8079ue.dll
Infected! C:\WINDOWS\SYSTEM32\kt20l7fm1.dll
Infected! C:\WINDOWS\SYSTEM32\kt2ql7f51.dll
Infected! C:\WINDOWS\SYSTEM32\kzdmaori.dll
Infected! C:\WINDOWS\SYSTEM32\l08m0al1edq.dll
Infected! C:\WINDOWS\SYSTEM32\l08mlal11dq.dll
Infected! C:\WINDOWS\SYSTEM32\l42slef71h2.dll
Infected! C:\WINDOWS\SYSTEM32\l8l60i3se8.dll
Infected! C:\WINDOWS\SYSTEM32\lueps12n.dll
Infected! C:\WINDOWS\SYSTEM32\lv0809due.dll
Infected! C:\WINDOWS\SYSTEM32\lv4409hqe.dll
Infected! C:\WINDOWS\SYSTEM32\lvj0091me.dll
Infected! C:\WINDOWS\SYSTEM32\lytif11n.dll
Infected! C:\WINDOWS\SYSTEM32\m6460ghse6460.dll
Infected! C:\WINDOWS\SYSTEM32\m8rm0i91e8.dll
Infected! C:\WINDOWS\SYSTEM32\mmimg32.dll
Infected! C:\WINDOWS\SYSTEM32\mpricons.dll
Infected! C:\WINDOWS\SYSTEM32\mvjul9191.dll
Infected! C:\WINDOWS\SYSTEM32\mvl8l93u1.dll
Infected! C:\WINDOWS\SYSTEM32\mvn0l95m1.dll
Infected! C:\WINDOWS\SYSTEM32\n24s0ch7ef4.dll
Infected! C:\WINDOWS\SYSTEM32\n44sleh71h4.dll
Infected! C:\WINDOWS\SYSTEM32\n48olel31hq.dll
Infected! C:\WINDOWS\SYSTEM32\nttrap.dll
Infected! C:\WINDOWS\SYSTEM32\o2lu0c39ef.dll
Infected! C:\WINDOWS\SYSTEM32\otbc32gt.dll
Infected! C:\WINDOWS\SYSTEM32\oxhlp30e.dll
Infected! C:\WINDOWS\SYSTEM32\pbdx5032.dll
Infected! C:\WINDOWS\SYSTEM32\q4860elsehq60.dll
Infected! C:\WINDOWS\SYSTEM32\q8psli7718.dll
Infected! C:\WINDOWS\SYSTEM32\qYsf.dll
Infected! C:\WINDOWS\SYSTEM32\r6r60g9se6.dll
Infected! C:\WINDOWS\SYSTEM32\roched20.dll
Infected! C:\WINDOWS\SYSTEM32\suc.dll
Infected! C:\WINDOWS\SYSTEM32\tJpi32.dll
Infected! C:\WINDOWS\SYSTEM32\u8ruli9918.dll
Infected! C:\WINDOWS\SYSTEM32\wbsapi32.dll
Infected! C:\WINDOWS\SYSTEM32\wgaservc.dll
Infected! C:\WINDOWS\SYSTEM32\wm2_32.dll
Infected! C:\WINDOWS\SYSTEM32\wtw32.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\SYSTEM32\azaul9191.dll
C:\WINDOWS\SYSTEM32\azaul9191.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\azivtmxx.dll
C:\WINDOWS\SYSTEM32\azivtmxx.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\dn8801lue.dll
C:\WINDOWS\SYSTEM32\dn8801lue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\dnl4013qe.dll
C:\WINDOWS\SYSTEM32\dnl4013qe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\e002lado1d0c.dll
C:\WINDOWS\SYSTEM32\e002lado1d0c.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\e8jm0i11e8.dll
C:\WINDOWS\SYSTEM32\e8jm0i11e8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\enpql1751.dll
C:\WINDOWS\SYSTEM32\enpql1751.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\f00o0ad3ed0.dll
C:\WINDOWS\SYSTEM32\f00o0ad3ed0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\f6j20g1oe6.dll
C:\WINDOWS\SYSTEM32\f6j20g1oe6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\fp2q03f5e.dll
C:\WINDOWS\SYSTEM32\fp2q03f5e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\fzdrclnr.dll
C:\WINDOWS\SYSTEM32\fzdrclnr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\gpjml3111.dll
C:\WINDOWS\SYSTEM32\gpjml3111.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\h6n00g5me6.dll
C:\WINDOWS\SYSTEM32\h6n00g5me6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\hhpertrm.dll
C:\WINDOWS\SYSTEM32\hhpertrm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\hrps0577e.dll
C:\WINDOWS\SYSTEM32\hrps0577e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ia41_qcx.dll
C:\WINDOWS\SYSTEM32\ia41_qcx.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ir00l5dm1.dll
C:\WINDOWS\SYSTEM32\ir00l5dm1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ir28l5fu1.dll
C:\WINDOWS\SYSTEM32\ir28l5fu1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ir8ml5l11.dll
C:\WINDOWS\SYSTEM32\ir8ml5l11.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\j46m0ej1eho.dll
C:\WINDOWS\SYSTEM32\j46m0ej1eho.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\jt6m07j1e.dll
C:\WINDOWS\SYSTEM32\jt6m07j1e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\jtj0071me.dll
C:\WINDOWS\SYSTEM32\jtj0071me.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\jtr8079ue.dll
C:\WINDOWS\SYSTEM32\jtr8079ue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\kt20l7fm1.dll
C:\WINDOWS\SYSTEM32\kt20l7fm1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\kt2ql7f51.dll
C:\WINDOWS\SYSTEM32\kt2ql7f51.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\kzdmaori.dll
C:\WINDOWS\SYSTEM32\kzdmaori.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\l08m0al1edq.dll
C:\WINDOWS\SYSTEM32\l08m0al1edq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\l08mlal11dq.dll
C:\WINDOWS\SYSTEM32\l08mlal11dq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\l42slef71h2.dll
C:\WINDOWS\SYSTEM32\l42slef71h2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\l8l60i3se8.dll
C:\WINDOWS\SYSTEM32\l8l60i3se8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lueps12n.dll
C:\WINDOWS\SYSTEM32\lueps12n.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lv0809due.dll
C:\WINDOWS\SYSTEM32\lv0809due.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lv4409hqe.dll
C:\WINDOWS\SYSTEM32\lv4409hqe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lvj0091me.dll
C:\WINDOWS\SYSTEM32\lvj0091me.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lytif11n.dll
C:\WINDOWS\SYSTEM32\lytif11n.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\m6460ghse6460.dll
C:\WINDOWS\SYSTEM32\m6460ghse6460.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\m8rm0i91e8.dll
C:\WINDOWS\SYSTEM32\m8rm0i91e8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\mmimg32.dll
C:\WINDOWS\SYSTEM32\mmimg32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\mpricons.dll
C:\WINDOWS\SYSTEM32\mpricons.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\mvjul9191.dll
C:\WINDOWS\SYSTEM32\mvjul9191.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\mvl8l93u1.dll
C:\WINDOWS\SYSTEM32\mvl8l93u1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\mvn0l95m1.dll
C:\WINDOWS\SYSTEM32\mvn0l95m1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\n24s0ch7ef4.dll
C:\WINDOWS\SYSTEM32\n24s0ch7ef4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\n44sleh71h4.dll
C:\WINDOWS\SYSTEM32\n44sleh71h4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\n48olel31hq.dll
C:\WINDOWS\SYSTEM32\n48olel31hq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\nttrap.dll
C:\WINDOWS\SYSTEM32\nttrap.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\o2lu0c39ef.dll
C:\WINDOWS\SYSTEM32\o2lu0c39ef.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\otbc32gt.dll
C:\WINDOWS\SYSTEM32\otbc32gt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\oxhlp30e.dll
C:\WINDOWS\SYSTEM32\oxhlp30e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\pbdx5032.dll
C:\WINDOWS\SYSTEM32\pbdx5032.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\q4860elsehq60.dll
C:\WINDOWS\SYSTEM32\q4860elsehq60.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\q8psli7718.dll
C:\WINDOWS\SYSTEM32\q8psli7718.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\qYsf.dll
C:\WINDOWS\SYSTEM32\qYsf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\r6r60g9se6.dll
C:\WINDOWS\SYSTEM32\r6r60g9se6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\roched20.dll
C:\WINDOWS\SYSTEM32\roched20.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\suc.dll
C:\WINDOWS\SYSTEM32\suc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\tJpi32.dll
C:\WINDOWS\SYSTEM32\tJpi32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\u8ruli9918.dll
C:\WINDOWS\SYSTEM32\u8ruli9918.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\wbsapi32.dll
C:\WINDOWS\SYSTEM32\wbsapi32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\wgaservc.dll
C:\WINDOWS\SYSTEM32\wgaservc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\wm2_32.dll
C:\WINDOWS\SYSTEM32\wm2_32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\wtw32.dll
C:\WINDOWS\SYSTEM32\wtw32.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


*** HJT log ***

Logfile of HijackThis v1.99.1
Scan saved at 5:35:08 AM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\paperweight\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - Winlogon Notify: Fonts - C:\WINDOWS\system32\KZDPO.DLL
O20 - Winlogon Notify: ruins - C:\WINDOWS\system32\jtj0071me.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Edited by Paperweight, 26 February 2006 - 06:01 AM.

  • 0

#18
Buckeye_Sam
Posted 26 February 2006 - 02:23 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts

For the ones that say "(file missing)", can they safely be deleted ? I could be wrong (and often I am)
but since the file is missing, that "entry" isn't doing anything. Am I assuming correctly... or am I
way off. (In other words, "Hey Paperweight, go back to your web surfing and leave the malware to
the professionals")

No, you are correct. Especially any of the 09 lines are very optional. The only place you don't want to assume that file missing is always correct is in a 023 line. Those are services and occassionally hijackthis misintreprets those for some reason. The 016 line is also optional, but that is actually the active-x control for the Trendmicro Housecall online virus scan. Any 016 line can be removed because the control will always be reinstalled the next time you visit that website.

Fix these lines as they are definitely bad, and then you can optionally fix any of the others.

O20 - Winlogon Notify: Fonts - C:\WINDOWS\system32\KZDPO.DLL
O20 - Winlogon Notify: ruins - C:\WINDOWS\system32\jtj0071me.dll (file missing)



Your log is looking much better, but since your computer was badly infected I suspect there are still registry entries and file remants present that should be removed.

Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net...wnload/updates/

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.


Reboot your computer and post a new hijackthis log and the log from Ewido.


By the way, I don't have paypal. Is there any other method to contribute ?

Just Paypal I'm afraid, although I don't believe you need an account to send a donation.
  • 0

#19
Paperweight
Posted 26 February 2006 - 04:19 PM

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Wow, I think I broke a record... over 1200 files.
Norton occasionally popped up to tell me that it found Bloodhound.W32.EP

By the way, what is the best virus protecton software ? McAfee, Norton,
something else ? I certainly don't want to have to go through this again.

I included the ewido report as an attacment, since it was so big.

*** HJT log ***

Logfile of HijackThis v1.99.1
Scan saved at 5:07:07 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\paperweight\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\k6no0g53e6.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Attached Files


  • 0

#20
Buckeye_Sam
Posted 26 February 2006 - 07:50 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That's a bit more than I expected, and it looks like our L2M infection is still with us.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


==========


Run Look2Me-Destroyer once again following the same instructions as before.
Post the resulting log and a new hijackthis log.


==========


I do not recommend Norton. There are far better options. For a free antivirus program that is much better than Norton check out AVG.
http://free.grisoft.com/doc/1

And if you are willing to pay a few bucks, I recommend Zone Alarm Security Suite.
http://www.zonelabs....=en&lid=ho_zass
  • 0

#21
Paperweight
Posted 27 February 2006 - 06:15 AM

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Done. By the way...

1) You mentioned before that as long as I was logged in as the admin I only
had to do the fixes once. Here's the situation, I've been using my account
which is also an administrator. In fact, there is no "Administrator" button on
the log in screen. There hasn't been one for a LONG time (years).
Is this problem ? I can tell you that what we're doing is working. I've noticed
a tremendous difference in the computer.

2) Should I bother installing new virus protection software now ? Or will it
interfere with what you've got planned ?

3) I tried to install the latest version of "windows update" from microsoft but ran
into a problem. I was able to download the three updates but they failed installation.
Is this part of my virus problem ? Is there any way to manually download and
install patches ?

Thanks... and be looking for something from Paypal. I know we're not done yet,
but I wanted to get it out of the way.

*** L2M log ***


Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 2/27/2006 6:22:07 AM

Infected! C:\WINDOWS\system32\k6no0g53e6.dll
Infected! C:\WINDOWS\SYSTEM32\j42q0ef5eh2.dll
Infected! C:\WINDOWS\SYSTEM32\k6no0g53e6.dll
Infected! C:\WINDOWS\SYSTEM32\ktn8l75u1.dll
Infected! C:\WINDOWS\SYSTEM32\laisi12n.dll
Infected! C:\WINDOWS\SYSTEM32\Lfkrn12n.dll
Infected! C:\WINDOWS\SYSTEM32\oxexl32.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\k6no0g53e6.dll
C:\WINDOWS\system32\k6no0g53e6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\j42q0ef5eh2.dll
C:\WINDOWS\SYSTEM32\j42q0ef5eh2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\k6no0g53e6.dll
C:\WINDOWS\SYSTEM32\k6no0g53e6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ktn8l75u1.dll
C:\WINDOWS\SYSTEM32\ktn8l75u1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\laisi12n.dll
C:\WINDOWS\SYSTEM32\laisi12n.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\Lfkrn12n.dll
C:\WINDOWS\SYSTEM32\Lfkrn12n.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\oxexl32.dll
C:\WINDOWS\SYSTEM32\oxexl32.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

*** HJT log ***

Logfile of HijackThis v1.99.1
Scan saved at 6:30:41 AM, on 2/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\paperweight\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Edited by Paperweight, 27 February 2006 - 04:26 PM.

  • 0

#22
Buckeye_Sam
Posted 27 February 2006 - 04:43 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
It worked that time. Your log is looking very good. I don't see any active infections present, although I suspect that there still may be some things turn up in this last scan.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.


========


1) You mentioned before that as long as I was logged in as the admin I only
had to do the fixes once. Here's the situation, I've been using my account
which is also an administrator. In fact, there is no "Administrator" button on
the log in screen. There hasn't been one for a LONG time (years).
Is this problem ? I can tell you that what we're doing is working. I've noticed
a tremendous difference in the computer.

That's normal and nothing to worry about. How many users do you have on this computer? We may want to look at a hijackthis log from each user just to clean any orphaned registry entries from a BHO or startup page.

2) Should I bother installing new virus protection software now ? Or will it
interfere with what you've got planned ?

Hold off just until we are done with this last step before installing anything new. And you'll also have to uninstall Norton before installing a new antivirus program. You should never run more than one antivirus.

3) I tried to install the latest version of "windows update" from microsoft but ran
into a problem. I was able to download the three updates but they failed installation.
Is this part of my virus problem ? Is there any way to manually download and
install patches ?

Yes, you can manually download and install them. Here's a link that explains it.
http://www.jakeludin...p_manually.html

But before you do that, I'd enable automatic updates and then just let your computer download and install them for you. More info on that here.
http://www.updatexp....ic-updates.html

But let me know if you are getting a specific error on the failed installation. There may be some things that we can look at.


Thanks... and be looking for something from Paypal. I know we're not done yet,
but I wanted to get it out of the way.

I did receive a donation today. I'm not sure if it was from you or someone else, but if it was you, thank you very much! It's very appreciated. :tazz:


Post the log from Panda once you run it and we'll see what turns up.
I feel like we're almost done here though.
  • 0

#23
Paperweight
Posted 27 February 2006 - 07:11 PM

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Finished... found 4 viruses and a whole bunch of spyware.
Once again, Norton popped up during the process and found Bloodhound.W32.EP
And if the paypal was from Jim (or James), that's me. Money well spent.

*** Activescan log ***


Incident Status Location

Adware:adware/commad Not disinfected C:\WINDOWS\SYSTEM32\atmtd.dll
Adware:adware/ideskbar Not disinfected C:\WINDOWS\SYSTEM32\favset.exe
Adware:adware/sqwire Not disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:adware/favoriteman Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
Adware:adware/maxifiles Not disinfected C:\mc-110-12-0000228.exe
Spyware:spyware/surfsidekick Not disinfected C:\SS1001.exe
Adware:adware/winprotect Not disinfected C:\WINDOWS\balloon.wav
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\mm83.ocx
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\myupdates1.dat
Adware:adware/elitebar Not disinfected C:\WINDOWS\protector_update.exe
Adware:adware/webhancer Not disinfected C:\WINDOWS\whCC-GIANT.exe
Adware:adware/virtualbouncer Not disinfected C:\PROGRAM FILES\VBouncer
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\SOFTWARE\FUN WEB PRODUCTS
Adware:adware/exact.searchbar Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MYWEBSEARCH
Adware:adware/sbsoft Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Adware:adware/ucmore Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jim\Cookies\jim@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jim\Cookies\jim@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jim\Cookies\jim@hitbox[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jim\Cookies\[email protected][1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@atdmt[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@bluestreak[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@cassava[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@fastclick[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@fortunecity[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@maxserving[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@serving-sys[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@targetnet[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@tribalfusion[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@valueclick[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@winfixer[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Daphne\Cookies\[email protected][1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Daphne\Cookies\daphne@zedo[2].txt
Dialer:Dialer.GKV Not disinfected C:\Documents and Settings\Daphne\Local Settings\Temporary Internet Files\Content.IE5\GT63WTA7\srvlbin4[1].exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Daphne\Local Settings\Temporary Internet Files\Content.IE5\GTIZO9I7\dating[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Daphne\Local Settings\Temporary Internet Files\Content.IE5\WL67SPQZ\casino[1].bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Daphne\Local Settings\Temporary Internet Files\Content.IE5\WL67SPQZ\virus[1].bmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jim\Cookies\jim@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jim\Cookies\jim@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jim\Cookies\jim@hitbox[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jim\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jim\Desktop\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jim\Desktop\l2mfix.exe[Process.exe]
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\Jim\Local Settings\Temp\temp5752359.exe
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\04OW4JA8\kw[1].exe
Virus:W32/Bagle.pwdzip Not disinfected C:\eudora\tmp\Document.zip
Adware:Adware/Maxifiles Not disinfected C:\mc-110-12-0000228.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\paperweight\backups\backup-20060223-100815-820.inf
Potentially unwanted tool:Application/Processor Not disinfected C:\paperweight\l2mfix.exe[Process.exe]
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\InetGet\mc-110-12-0000118.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\iwoqsav\iwoqdsav\iwoqc.dll.sav
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\Program Files\NetMeeting\conf\calc32.exe
Virus:Backdoor Program Not disinfected C:\Program Files\NetMeeting\conf\nocx.ocx
Virus:Bck/IRC.Mirc.Based Not disinfected C:\Program Files\NetMeeting\conf\NoeWinnt.exe
Adware:Adware/NetPals Not disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Virus:Trj/Multidropper.BCU Not disinfected C:\WINDOWS\SYSTEM32\b3s.dll
Spyware:Cookie/empnads Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\system@empnads[1].txt
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XSD2ZOO3\proxy_inst[3].exe
Dialer:Dialer.CVZ Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XSD2ZOO3\silent_setup[1].exe
Adware:Adware/IdeskBar Not disinfected C:\WINDOWS\SYSTEM32\favset.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\SYSTEM32\mc-110-12-0000118.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\SYSTEM32\mc-110-12-0000166.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Potentially unwanted tool:Application/Processor Not disinfected G:\paperweight\l2mfix.exe[Process.exe]

*** HJT log ***

Logfile of HijackThis v1.99.1
Scan saved at 7:25:37 PM, on 2/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\paperweight\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/html/start/start.html
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1141075830734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Edited by Paperweight, 27 February 2006 - 07:21 PM.

  • 0

#24
Buckeye_Sam
Posted 28 February 2006 - 08:00 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's get rid of what was found.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\SYSTEM32\atmtd.dll
    C:\WINDOWS\SYSTEM32\favset.exe
    C:\WINDOWS\SYSTEM32\tsuninst.exe
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
    C:\mc-110-12-0000228.exe
    C:\SS1001.exe
    C:\WINDOWS\balloon.wav
    C:\WINDOWS\mm83.ocx
    C:\WINDOWS\myupdates1.dat
    C:\WINDOWS\protector_update.exe
    C:\WINDOWS\whCC-GIANT.exe
    C:\eudora\tmp\Document.zip
    C:\Program Files\Common Files\InetGet\mc-110-12-0000118.exe
    C:\Program Files\Common Files\iwoqsav\iwoqdsav\iwoqc.dll.sav
    C:\Program Files\NetMeeting\conf\calc32.exe
    C:\Program Files\NetMeeting\conf\nocx.ocx
    C:\Program Files\NetMeeting\conf\NoeWinnt.exe
    C:\WINDOWS\Downloaded Program Files\ATPartners.inf
    C:\WINDOWS\SYSTEM32\b3s.dll
    C:\WINDOWS\SYSTEM32\favset.exe
    C:\WINDOWS\SYSTEM32\mc-110-12-0000118.exe
    C:\WINDOWS\SYSTEM32\mc-110-12-0000166.exe
    C:\WINDOWS\SYSTEM32\tsuninst.exe
    C:\WINDOWS\uninstall_nmon.vbs



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



Run ATF cleaner again to purge your temp files.
Then reboot once more. Let me know how it went and any problems that you are still having.
  • 0

#25
Paperweight
Posted 01 March 2006 - 02:06 PM

Paperweight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I think we're all done.

I installed McAfee. Ran the scanner (found a few random PUPs).
I deleted them, rebooted and ran the scanner again. No viruses found !
(Ok to uninstall ewido and panda ?)

Microsofts automatic updates kicked in and loaded 29 of them.

Everything looks great.

Thanks for all your help.

Go Ohio State !!!

Edited by Paperweight, 01 March 2006 - 03:17 PM.

  • 0

Advertisements

#26
Buckeye_Sam
Posted 01 March 2006 - 04:00 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That's what I like to hear! :)

Here are some optional fixes you can make with Hijackthis. They are not malware. These are programs that run automatically at startup. They are not necessary to be run at every startup and hog your computer's resources. Fixing these will only stop these programs from running automatically, which will improve boot up time and performance.

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:tazz: :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP