Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Suspected corrupted Registry [RESOLVED]

Started by Chris - Thecleancar , May 08 2006 04:58 AM

This topic is locked

#1
Chris - Thecleancar

Posted 08 May 2006 - 04:58 AM

Member

Member
244 posts

Hello this is my first visit I hope you can fix my corrupted Registry
After a hard drive format (for a clean start) I installed Windows XP Pro SP1.
I can’t get my ISP’s Browser / Anti virus / Firewall and Pop up blocker to download/install fully.
The ISP people advised me to uninstall it and try another download/install but the uninstall tool ‘hangs’ so the machine has no Anti virus/ Firewall protection at present.
Things are not working as they should for example Alt Ctrl & Del produces only a brief glimpse of the Windows Task Manager window, if I run ‘Regedit’ from the start menu again only a brief glimpse of the window.
When I boot up I get 2 messages advising ‘protection.exe’ has encountered a problem.
I’ll cut to the chase I’m sure I’ve got a corrupted/infected registry – no doubt this happened when the machine was unprotected and I connected to the web to download the Anti virus/firewall software.
I’ve run McAfee 'Stinger’ and the MS malevolent software tool and these have found and cleared several infections.
I’ve tried to get a HiJackThis log in Normal mode but nothing happens when I click the program icon – I have gone to safe mode and managed to get a log file there which I have shown.
Please note I’m communicating via another PC
Can you help me to get my Virus/Firewall software downloaded and get my machine back to normal - Thanks.
Here is my Hi JackThis file
Logfile of HijackThis v1.99.1
Scan saved at 15:26:30, on 06/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\devices\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\devices\services.exe
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spooIsv.exe
O4 - HKLM\..\Run: [WINTASK] protection.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Compaq Service Drivers] winsvc.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard17.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad17.exe
O4 - HKLM\..\Run: [newname] C:\\newname17.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Device Synchronization Agent] C:\WINDOWS\devices\services.exe
O4 - HKLM\..\Run: [Laordll service] gqbeeayklz.exe
O4 - HKLM\..\RunServices: [WINTASK] protection.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] winsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\RunServices: [Laordll service] gqbeeayklz.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146591326109
O20 - AppInit_DLLs: repairs303169581.dll
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\j44oleh31h4.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgS2VlcA\command.exe
O23 - Service: Windows Device Synchronization Agent (DeviceSynchronization) - Unknown owner - C:\WINDOWS\devices\services.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#2
RiP

Posted 08 May 2006 - 05:11 AM

Malware Expert

Retired Staff
8,430 posts

Hello, Chris - Thecleancar.

You have a massive spyware infection, so this will take a little time to clean out.

Do you have internet access from the infected PC? If not have you tryed booting into Safe Mode With Networking to see if you have internet access there?

If you don't have internet access at all, you're going to have to transfer the files and programs back and forth between the pc's via cd/floppy/usb etc... ( From your response it's obvious you know this, but I must say it anyway. )

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

#3
Chris - Thecleancar

Posted 08 May 2006 - 06:10 AM

Member

Topic Starter
Member
244 posts

Hi
Thanks for your fast reply - nice to know I'm not on my own

I dont have internet access in safe mode - I do in normal mode of course but its useless as there is no firewall or popup blocker so the screen is covered in 'rubbish' in no time.

This is a bit of a pain to say the least HiJackThis only works in safe mode and I can only copy to a CD in normal mode - still it will be worth it i'm sure

Chris

Here is the uninstall_list.txt

Alcatel SpeedTouch USB Software
BT Broadband Desktop Help
BT Yahoo! Applications
Command
Eusing Free Registry Cleaner
HijackThis 1.99.1
Network Monitor
Norton AntiVirus
Norton AntiVirus SYMLT MSI
Repair Registry Pro 1.2
Snowball Wars by OIN
Surf SideKick
Symantec
TSA
webHancer Customer Companion

#4
RiP

Posted 08 May 2006 - 06:17 AM

Malware Expert

Retired Staff
8,430 posts

Hello, Chris - Thecleancar.

Thanks for your fast reply - nice to know I'm not on my own

You'll never be on your own at this site. I'm actually off work today, so I can help you without any time restraints.

I don't mean the regular "Safe Mode." Try rebooting into "Safe Mode With Networking."

Please do the following:

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

Command
Network Monitor
Snowball Wars by OIN
Surf SideKick
TSA
webHancer Customer Companion

See if you have internet after removing those programs, please post back with a fresh HijackThis log.

#5
Chris - Thecleancar

Posted 08 May 2006 - 07:05 AM

Member

Topic Starter
Member
244 posts

Hi

I did in fact try Safe mode with Networking but it did not work
I've removed all the items you instructed Command was a bit difficult it had to access the web and I got a flood of popups and screens etc - Snowball wars then appeared to come back again so I deleted it again
Still cant get the web in Safe mode with Networking
Everything takes forever to do as I have to keep switching modes and burning CDs etc

Nice not to be at work - I'm semi retired at present - are you employed by 'The Geeks' or a volunteer?

Chris

New HiJackThis details shown as usual from Safe mode

Logfile of HijackThis v1.99.1
Scan saved at 13:49:03, on 08/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\devices\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\devices\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Compaq Service Drivers] winsvc.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\Run: [WINTASK] protection.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Device Synchronization Agent] C:\WINDOWS\devices\services.exe
O4 - HKLM\..\RunServices: [WINTASK] protection.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] winsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\RunServices: [1337 virus] explore.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146591326109
O20 - Winlogon Notify: MSSYCLM - C:\WINDOWS\system32\f60olgd3160.dll (file missing)
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\ktl4l73q1.dll
O23 - Service: Windows Device Synchronization Agent (DeviceSynchronization) - Unknown owner - C:\WINDOWS\devices\services.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6
RiP

Posted 08 May 2006 - 07:24 AM

Malware Expert

Retired Staff
8,430 posts

Hello, Chris - Thecleancar.

I apologize, I thought you had tried regular safe mode.

I'm currently a volunteer staff member at GeeksToGo. I have a different job outside of here.

Ok, to make this a bit easier on you, I'll try to get rid of as much as possible in this next fix.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Then add it to the list of stuff to be burned, when on your other computer do the following:

Boot into Safe Mode and run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

Follow the next set of instructions, except after downloading it just add it to the burn list and skip over the updating part and just go to the configuration options and continue it from there.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click Download Now to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

#7
Chris - Thecleancar

Posted 08 May 2006 - 08:03 AM

Member

Topic Starter
Member
244 posts

Hello again

The CW Shredder found and removed CWS Smartsearch

Spy Sweeper log below

Chris

********
14:48: | Start of Session, 08 May 2006 |
14:48: Spy Sweeper started
14:48: Sweep initiated using definitions version 556
14:48: Starting Memory Sweep
14:50: Memory Sweep Complete, Elapsed Time: 00:01:23
14:50: Starting Registry Sweep
14:50: Found Adware: surfsidekick
14:50: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
14:50: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
14:50: Found Trojan Horse: trojan-backdoor-soundcheck
14:50: HKLM\system\currentcontrolset\control\lsa\ || compaq service drivers (ID = 144196)
14:50: HKLM\software\microsoft\ole\ || compaq service drivers (ID = 144197)
14:50: HKLM\software\microsoft\windows\currentversion\runservices\ || compaq service drivers (ID = 144198)
14:50: HKLM\software\microsoft\windows\currentversion\run\ || compaq service drivers (ID = 144199)
14:50: Found Adware: webhancer
14:50: HKLM\software\webhancer\ (4 subtraces) (ID = 146278)
14:50: HKU\WRSS_Profile_S-1-5-21-220523388-1993962763-725345543-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
14:50: HKU\WRSS_Profile_S-1-5-21-220523388-1993962763-725345543-500\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
14:50: Found Adware: findthewebsiteyouneed hijacker
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\internet explorer\main\ || search page (ID = 125238)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\internet explorer\main\ || start page (ID = 125239)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\surfsidekick3\ (3 subtraces) (ID = 143412)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\system\currentcontrolset\control\lsa\ || compaq service drivers (ID = 144192)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\ole\ || compaq service drivers (ID = 144193)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\windows\currentversion\runservices\ || compaq service drivers (ID = 144194)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\windows\currentversion\run\ || compaq service drivers (ID = 144195)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
14:50: HKU\S-1-5-21-220523388-1993962763-725345543-1003\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
14:50: Registry Sweep Complete, Elapsed Time:00:00:14
14:50: Starting Cookie Sweep
14:50: Found Spy Cookie: yieldmanager cookie
14:50: [email protected][2].txt (ID = 3751)
14:50: Found Spy Cookie: hbmediapro cookie
14:50: [email protected][2].txt (ID = 2768)
14:50: Found Spy Cookie: hotbar cookie
14:50: [email protected][2].txt (ID = 4207)
14:50: Found Spy Cookie: adrevolver cookie
14:50: chris@adrevolver[1].txt (ID = 2088)
14:50: chris@adrevolver[2].txt (ID = 2088)
14:50: Found Spy Cookie: adtech cookie
14:50: chris@adtech[2].txt (ID = 2155)
14:50: Found Spy Cookie: advertising cookie
14:50: chris@advertising[2].txt (ID = 2175)
14:50: Found Spy Cookie: atlas dmt cookie
14:50: chris@atdmt[2].txt (ID = 2253)
14:50: Found Spy Cookie: searchingbooth cookie
14:50: [email protected][1].txt (ID = 3322)
14:50: Found Spy Cookie: kmpads cookie
14:50: chris@kmpads[2].txt (ID = 2909)
14:50: Found Spy Cookie: top-banners cookie
14:50: [email protected][1].txt (ID = 3548)
14:50: Found Spy Cookie: overture cookie
14:50: chris@overture[2].txt (ID = 3105)
14:50: Found Spy Cookie: partypoker cookie
14:50: chris@partypoker[2].txt (ID = 3111)
14:50: Found Spy Cookie: realtracker cookie
14:50: [email protected][1].txt (ID = 3242)
14:50: Found Spy Cookie: realmedia cookie
14:50: chris@realmedia[1].txt (ID = 3235)
14:50: Found Spy Cookie: revenue.net cookie
14:50: chris@revenue[1].txt (ID = 3257)
14:50: Found Spy Cookie: rn11 cookie
14:50: chris@rn11[2].txt (ID = 3261)
14:50: Found Spy Cookie: reliablestats cookie
14:50: [email protected][1].txt (ID = 3254)
14:50: Found Spy Cookie: findthewebsiteyouneed cookie
14:50: [email protected][2].txt (ID = 2673)
14:50: Found Spy Cookie: goclick cookie
14:50: [email protected][1].txt (ID = 2733)
14:50: Cookie Sweep Complete, Elapsed Time: 00:00:01
14:50: Starting File Sweep
14:50: c:\program files\webhancer (2 subtraces) (ID = -2147476841)
14:51: Found Adware: look2me
14:51: mdxml3r.dll (ID = 163672)
14:51: shgtab.dll (ID = 163672)
14:51: rksmxs.dll (ID = 163672)
14:51: t48u0el9ehq.dll (ID = 163672)
14:52: mdjetoledb40.dll (ID = 163672)
14:52: seprv.dll (ID = 163672)
14:52: Found Adware: isearch desktop search
14:52: command.exe (ID = 144946)
14:52: sskknwrd.dll (ID = 77733)
14:52: whagent.ini (ID = 83825)
14:52: sskcwrd.dll (ID = 77712)
14:52: File Sweep Complete, Elapsed Time: 00:02:03
14:52: Full Sweep has completed. Elapsed time 00:03:48
14:52: Traces Found: 63
14:53: Removal process initiated
14:53: Quarantining All Traces: look2me
14:53: Quarantining All Traces: trojan-backdoor-soundcheck
14:53: Quarantining All Traces: findthewebsiteyouneed hijacker
14:53: Quarantining All Traces: isearch desktop search
14:53: Quarantining All Traces: surfsidekick
14:53: Quarantining All Traces: webhancer
14:53: Quarantining All Traces: adrevolver cookie
14:53: Quarantining All Traces: adtech cookie
14:53: Quarantining All Traces: advertising cookie
14:53: Quarantining All Traces: atlas dmt cookie
14:53: Quarantining All Traces: findthewebsiteyouneed cookie
14:53: Quarantining All Traces: goclick cookie
14:53: Quarantining All Traces: hbmediapro cookie
14:53: Quarantining All Traces: hotbar cookie
14:53: Quarantining All Traces: kmpads cookie
14:53: Quarantining All Traces: overture cookie
14:53: Quarantining All Traces: partypoker cookie
14:53: Quarantining All Traces: realmedia cookie
14:53: Quarantining All Traces: realtracker cookie
14:53: Quarantining All Traces: reliablestats cookie
14:53: Quarantining All Traces: revenue.net cookie
14:53: Quarantining All Traces: rn11 cookie
14:53: Quarantining All Traces: searchingbooth cookie
14:53: Quarantining All Traces: top-banners cookie
14:53: Quarantining All Traces: yieldmanager cookie
14:53: Removal process completed. Elapsed time 00:00:39
********
14:45: | Start of Session, 08 May 2006 |
14:45: Spy Sweeper started
14:48: | End of Session, 08 May 2006 |

#8
RiP

Posted 08 May 2006 - 08:07 AM

Malware Expert

Retired Staff
8,430 posts

Is your internet still non functional? Please post a fresh HJT log.

#9
Chris - Thecleancar

Posted 08 May 2006 - 08:16 AM

Member

Topic Starter
Member
244 posts

Hi

Do you mean in Normal Mode or Safe Mode with Networking?

Chris

#10
RiP

Posted 08 May 2006 - 08:16 AM

Malware Expert

Retired Staff
8,430 posts

Either one, preferably Normal Mode.

#11
Chris - Thecleancar

Posted 08 May 2006 - 08:50 AM

Member

Topic Starter
Member
244 posts

Sorry should have tried both

No luck with SM with Networking the modem still doesn't boot
In Normal mode I get a connection but cant get my home page I get 'The page cannot be displayed' same if I try the Microsoft home page - still lots of Popups and unrequested screens . Spy Sweeper blocked a couple of Adwares

See below for an HJT file - NOTE THIS CAME FROM NORMAL MODE

Chris

Logfile of HijackThis v1.99.1
Scan saved at 15:33:08, on 08/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\devices\services.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svhost.exe
C:\WINDOWS\System32\protection.exe
C:\hellmsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\ICROSO~1\logonui.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\?ymbols\n?tepad.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\devices\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\devices\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\Run: [WINTASK] protection.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Device Synchronization Agent] C:\WINDOWS\devices\services.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [WINTASK] protection.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\RunServices: [1337 virus] explore.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [WINTASK] protection.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Telecoms Center] svhost.exe
O4 - HKCU\..\Run: [Rrnc] "C:\WINDOWS\ICROSO~1\logonui.exe" -vt yazr
O4 - HKCU\..\Run: [Eulrzn] C:\WINDOWS\?ymbols\n?tepad.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146591326109
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\dnn4015qe.dll
O20 - Winlogon Notify: MSSYCLM - C:\WINDOWS\system32\r4p80e7ueh.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Windows Device Synchronization Agent (DeviceSynchronization) - Unknown owner - C:\WINDOWS\devices\services.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12
Chris - Thecleancar

Posted 08 May 2006 - 08:52 AM

Member

Topic Starter
Member
244 posts

Something further just found I can now get Windows Task Manager again - it shows 'Project 1' as running

I can also now get 'Regedit ' from Start Run

Chris

#13
RiP

Posted 08 May 2006 - 08:59 AM

Malware Expert

Retired Staff
8,430 posts

Hello, Chris - Thecleancar.

Excellent. We'll have it fixed up in no time.

Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

#14
Chris - Thecleancar

Posted 08 May 2006 - 09:25 AM

Member

Topic Starter
Member
244 posts

Done

I had to turn my Quick launch icons back on after Look2Me Destroyer had finished - trust this doesn't blow us out of the water

HJThis log and Look2Me log below

Chris

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 08/05/2006 16:08:07

Infected! C:\WINDOWS\system32\dnn4015qe.dll
Infected! C:\WINDOWS\system32\assldp.dll
Infected! C:\WINDOWS\system32\bLsesrv.dll
Infected! C:\WINDOWS\system32\dhnhpast.dll
Infected! C:\WINDOWS\system32\dkcprop2.dll
Infected! C:\WINDOWS\system32\dn8801lue.dll
Infected! C:\WINDOWS\system32\dnn4015qe.dll
Infected! C:\WINDOWS\system32\dnnm0151e.dll
Infected! C:\WINDOWS\system32\dztrans.dll
Infected! C:\WINDOWS\system32\g8400ihme84a0.dll
Infected! C:\WINDOWS\system32\hvicons.dll
Infected! C:\WINDOWS\system32\ilssuba.dll
Infected! C:\WINDOWS\system32\k4620ejoehoc0.dll
Infected! C:\WINDOWS\system32\kadfr.dll
Infected! C:\WINDOWS\system32\kkdcz.dll
Infected! C:\WINDOWS\system32\kt2ml7f11.dll
Infected! C:\WINDOWS\system32\kt46l7hs1.dll
Infected! C:\WINDOWS\system32\kxdtuf.dll
Infected! C:\WINDOWS\system32\mkrle32.dll
Infected! C:\WINDOWS\system32\mnwmdm.dll
Infected! C:\WINDOWS\system32\rccss.dll
Infected! C:\WINDOWS\system32\spdoclc.dll
Infected! C:\WINDOWS\system32\uyer32.dll
Infected! C:\WINDOWS\system32\vir.dll
Infected! C:\WINDOWS\system32\vwpodbc.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\dnn4015qe.dll
C:\WINDOWS\system32\dnn4015qe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\assldp.dll
C:\WINDOWS\system32\assldp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\bLsesrv.dll
C:\WINDOWS\system32\bLsesrv.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dhnhpast.dll
C:\WINDOWS\system32\dhnhpast.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dkcprop2.dll
C:\WINDOWS\system32\dkcprop2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dn8801lue.dll
C:\WINDOWS\system32\dn8801lue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnn4015qe.dll
C:\WINDOWS\system32\dnn4015qe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnnm0151e.dll
C:\WINDOWS\system32\dnnm0151e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dztrans.dll
C:\WINDOWS\system32\dztrans.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\g8400ihme84a0.dll
C:\WINDOWS\system32\g8400ihme84a0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hvicons.dll
C:\WINDOWS\system32\hvicons.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ilssuba.dll
C:\WINDOWS\system32\ilssuba.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k4620ejoehoc0.dll
C:\WINDOWS\system32\k4620ejoehoc0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kadfr.dll
C:\WINDOWS\system32\kadfr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kkdcz.dll
C:\WINDOWS\system32\kkdcz.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kt2ml7f11.dll
C:\WINDOWS\system32\kt2ml7f11.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kt46l7hs1.dll
C:\WINDOWS\system32\kt46l7hs1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kxdtuf.dll
C:\WINDOWS\system32\kxdtuf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mkrle32.dll
C:\WINDOWS\system32\mkrle32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mnwmdm.dll
C:\WINDOWS\system32\mnwmdm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rccss.dll
C:\WINDOWS\system32\rccss.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\spdoclc.dll
C:\WINDOWS\system32\spdoclc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uyer32.dll
C:\WINDOWS\system32\uyer32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\vir.dll
C:\WINDOWS\system32\vir.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\vwpodbc.dll
C:\WINDOWS\system32\vwpodbc.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E922A1D0-5462-48DE-9E27-C98F67DE06FA}"
HKCR\Clsid\{E922A1D0-5462-48DE-9E27-C98F67DE06FA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1D19BCDC-E4A4-49FB-8EA0-F2C98DFF0967}"
HKCR\Clsid\{1D19BCDC-E4A4-49FB-8EA0-F2C98DFF0967}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9AB0121E-7630-4CB1-9418-74EE4E7E9480}"
HKCR\Clsid\{9AB0121E-7630-4CB1-9418-74EE4E7E9480}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{33E91A5B-20FC-43D8-9BFD-1DEE62FB9DF5}"
HKCR\Clsid\{33E91A5B-20FC-43D8-9BFD-1DEE62FB9DF5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CB1C13C5-6DD2-4B32-9420-54962CF80E8D}"
HKCR\Clsid\{CB1C13C5-6DD2-4B32-9420-54962CF80E8D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C5C64459-B83E-402F-B64B-40E7338CC544}"
HKCR\Clsid\{C5C64459-B83E-402F-B64B-40E7338CC544}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D4AD2BAA-B2CB-4F92-A0A5-68C576624CDC}"
HKCR\Clsid\{D4AD2BAA-B2CB-4F92-A0A5-68C576624CDC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0A04D89E-8684-4EA0-976E-6D3CA2008D7A}"
HKCR\Clsid\{0A04D89E-8684-4EA0-976E-6D3CA2008D7A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{18E4C059-01FC-4DC4-9D01-752F7D7BF3AC}"
HKCR\Clsid\{18E4C059-01FC-4DC4-9D01-752F7D7BF3AC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 16:16:24, on 08/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\devices\services.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svhost.exe
C:\WINDOWS\System32\protection.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ICROSO~1\logonui.exe
C:\WINDOWS\?ymbols\n?tepad.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\hellmsn.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\devices\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\devices\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\Run: [WINTASK] protection.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Device Synchronization Agent] C:\WINDOWS\devices\services.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [WINTASK] protection.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\RunServices: [1337 virus] explore.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [WINTASK] protection.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Telecoms Center] svhost.exe
O4 - HKCU\..\Run: [Rrnc] "C:\WINDOWS\ICROSO~1\logonui.exe" -vt yazr
O4 - HKCU\..\Run: [Eulrzn] C:\WINDOWS\?ymbols\n?tepad.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146591326109
O20 - Winlogon Notify: MSSYCLM - C:\WINDOWS\system32\r4p80e7ueh.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Windows Device Synchronization Agent (DeviceSynchronization) - Unknown owner - C:\WINDOWS\devices\services.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#15
RiP

Posted 08 May 2006 - 09:36 AM

Malware Expert

Retired Staff
8,430 posts

Hello, Chris - Thecleancar.

I have noticed that look2me Destroyer takes no mercy on any infected files it comes across. I have had problems with it messing up windows stuff before. It is, however, the fastest and easiest way to remove Look2me on heavily infected systems.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please download the Killbox by Option^Explicit. ( Save it to your desktop. )

Note: In the event you already have Killbox, this is a new version that I need you to download.

Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

sc stop DeviceSynchronization
sc delete DeviceSynchronization
exit

Double click FixServices.bat. A window will open and close. This is normal.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\devices\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\devices\services.exe
O4 - HKLM\..\Run: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\Run: [WINTASK] protection.exe
O4 - HKLM\..\Run: [Microsoft ® Windows Device Synchronization Agent] C:\WINDOWS\devices\services.exe
O4 - HKLM\..\RunServices: [WINTASK] protection.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] svhost.exe
O4 - HKLM\..\RunServices: [1337 virus] explore.exe
O4 - HKCU\..\Run: [WINTASK] protection.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] svhost.exe
O4 - HKCU\..\Run: [Rrnc] "C:\WINDOWS\ICROSO~1\logonui.exe" -vt yazr
O4 - HKCU\..\Run: [Eulrzn] C:\WINDOWS\?ymbols\n?tepad.exe
O20 - Winlogon Notify: MSSYCLM - C:\WINDOWS\system32\r4p80e7ueh.dll (file missing)
O23 - Service: Windows Device Synchronization Agent (DeviceSynchronization) - Unknown owner - C:\WINDOWS\devices\services.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Run ATF Cleaner:Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Using Windows Explorer delete the following folders (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\WINDOWS\ICROSO~1
C:\WINDOWS\?ymbols ( Make sure the file n?tepad.exe is inside before deleting the folder. )
C:\WINDOWS\devices

Run Killbox:

Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\svhost.exe
C:\WINDOWS\System32\protection.exe
C:\WINDOWS\System32\svhost.exe
C:\WINDOWS\System32\explore.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Reboot into Normal Mode.

In your next reply please include the following: