Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Adware.Look2Me - Help required please [RESOLVED]

Started by stitch , Nov 11 2005 11:46 AM

  • This topic is locked This topic is locked

#1
stitch
Posted 11 November 2005 - 11:46 AM

stitch

    New Member

  • Member
  • Pip
  • 8 posts
Hello,

Firstly, i'd like to say great site. I've already found out a lot of information and have followed advise from a few posts.

The problem I'm having is my computer seems to be affected by the following "Adware.Look2Me". Norton keeps popping up saying that it's quarentined various files of this Risk type.

Following the advise from the "You Must Read This Before Posting" message I have completed the following:

1) Deleted all temporary files
2) Ran ad-aware using the setting detailed in normal XP - Deleting the found objects
3) Ran full Norton Antivirus scan (with updated definition files) in normal XP - Deleting the found objects.
Note: After running these I found a couple of objects which I couldn't remove (.exe files in System Volume Information)
4) Turned off System Restore and deleted old restore points - Seemed to delete the .exe files
5) Rebooted in Safemode and re-ran full Ad-aware and Norton scans - again removing found items.
6) Rebooted into normal XP - Still getting norton popups
Adware.Look2Me - ir82l5lo1.dll - c:\windows\system32
7) Ewido - Ran full scan and removed 28 items. (log below)
8) Update Window - windows didn't require additional updates
9) Rebooted into normal XP - Still getting norton popups
Adware.Look2Me - h0n0la5m1d.dll - c:\windows\system32
10) Ran Hijack This

I would appreciate any help you could offer.

Many thanks.


====================================================================================
Here are my log files:
====================================================================================
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:16:41, 11/11/2005
+ Report-Checksum: 1A564071

+ Scan result:

[368] C:\WINDOWS\system32\adifile.dll -> Spyware.Look2Me : Error during cleaning
[928] C:\WINDOWS\system32\adifile.dll -> Spyware.Look2Me : Error during cleaning
:mozilla.6:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.32:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.36:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\USER\qt127sb2.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\USER\Cookies\USER@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\USER\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\system32\iKlmdnt5.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.w : Cleaned with backup
C:\WINDOWS\tool3.exe -> TrojanProxy.Lager.x : Cleaned with backup


::Report End
====================================================================================

Logfile of HijackThis v1.99.1
Scan saved at 17:30:17, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\utils\ewido\security suite\ewidoctrl.exe
C:\Program Files\utils\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\Utils\AIM\AIMWDI~1.EXE
C:\Program Files\Utils\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Applications\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = REMOVED_BY_ME
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = REMOVED_BY_ME
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = REMOVED_BY_ME
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /OfficeXPHack
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\Utils\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Utils\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Utils\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = REMOVED_BY_ME
O17 - HKLM\Software\..\Telephony: DomainName = REMOVED_BY_ME
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = REMOVED_BY_ME
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\h0n0la5m1d.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\utils\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\utils\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

====================================================================================
  • 0

Advertisements

#2
therock247uk
Posted 15 November 2005 - 06:19 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
You have the latest version of VX2. Download L2mfix from

http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
stitch
Posted 16 November 2005 - 04:06 AM

stitch

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Rock,

Thanks for trying to help me through this. I have downloaded and ran option 1 of the L2MFIX file.

Here is the Report Log:

===================================================================

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s0880aluedq80.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D0A6511C-54FC-F323-595B-44A8C0454CEE}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
@=""
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}"="PhotoToys"
"{efb97cb8-a4a4-4357-a261-002ffaed0267}"="CD Slideshow Powertoy"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{81764E25-1C32-426C-AF31-0BA83ED99F9C}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{81764E25-1C32-426C-AF31-0BA83ED99F9C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{81764E25-1C32-426C-AF31-0BA83ED99F9C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{81764E25-1C32-426C-AF31-0BA83ED99F9C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{81764E25-1C32-426C-AF31-0BA83ED99F9C}\InprocServer32]
@="C:\\WINDOWS\\system32\\msutilse.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
adifile.dll Fri 11 Nov 2005 16:44:22 ..S.R 236,283 230.74 K
browseui.dll Fri 2 Sep 2005 23:52:04 A.... 1,019,904 996.00 K
cdbjmon.dll Fri 11 Nov 2005 17:19:20 ..S.R 237,333 231.77 K
cdfview.dll Fri 2 Sep 2005 23:52:04 A.... 151,040 147.50 K
cdosys.dll Sat 10 Sep 2005 1:53:42 A.... 2,067,968 1.97 M
danim.dll Fri 2 Sep 2005 23:52:04 A.... 1,053,696 1.00 M
dxtrans.dll Fri 2 Sep 2005 23:52:04 A.... 205,312 200.50 K
extmgr.dll Fri 2 Sep 2005 23:52:04 A.... 55,808 54.50 K
gdi32.dll Thu 6 Oct 2005 3:09:36 A.... 280,064 273.50 K
gwfspi~1.dll Mon 29 Aug 2005 13:27:06 A.... 23,304 22.76 K
iepeers.dll Fri 2 Sep 2005 23:52:04 A.... 251,392 245.50 K
ihakui.dll Mon 14 Nov 2005 9:20:14 ..S.R 236,436 230.89 K
inseng.dll Fri 2 Sep 2005 23:52:04 A.... 96,256 94.00 K
irnml5~1.dll Wed 16 Nov 2005 9:47:26 ..S.R 235,693 230.17 K
legitc~1.dll Mon 29 Aug 2005 13:27:12 A.... 520,968 508.76 K
linkinfo.dll Thu 1 Sep 2005 1:41:54 A.... 19,968 19.50 K
mshtml.dll Tue 4 Oct 2005 16:26:00 A.... 3,015,168 2.88 M
mshtmled.dll Fri 2 Sep 2005 23:52:06 A.... 448,512 438.00 K
msrating.dll Fri 2 Sep 2005 23:52:06 A.... 146,432 143.00 K
mstime.dll Fri 2 Sep 2005 23:52:06 A.... 530,432 518.00 K
msutilse.dll Wed 16 Nov 2005 9:47:26 ..S.R 234,538 229.04 K
netman.dll Mon 22 Aug 2005 18:29:46 A.... 197,632 193.00 K
pngfilt.dll Fri 2 Sep 2005 23:52:06 A.... 39,424 38.50 K
quartz.dll Tue 30 Aug 2005 3:54:26 A.... 1,287,168 1.23 M
s0880a~1.dll Tue 15 Nov 2005 23:18:10 ..S.R 234,538 229.04 K
shdocvw.dll Fri 2 Sep 2005 23:52:06 A.... 1,483,776 1.41 M
shell32.dll Fri 23 Sep 2005 3:05:30 A.... 8,450,560 8.06 M
shlwapi.dll Fri 2 Sep 2005 23:52:06 A.... 473,600 462.50 K
umpnpmgr.dll Tue 23 Aug 2005 3:35:42 A.... 123,392 120.50 K
urlmon.dll Fri 2 Sep 2005 23:52:06 A.... 608,768 594.50 K
wininet.dll Fri 2 Sep 2005 23:52:06 A.... 658,432 643.00 K
winsrv.dll Thu 1 Sep 2005 1:41:54 A.... 291,840 285.00 K
zlbw.dll Fri 11 Nov 2005 1:00:26 A.... 46,592 45.50 K

33 items found: 33 files (6 H/S), 0 directories.
Total of file sizes: 24,962,229 bytes 23.80 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is A857-FC4B

Directory of C:\WINDOWS\System32

16/11/2005 09:47 234,538 msutilse.dll
16/11/2005 09:47 235,693 irnml5511.dll
15/11/2005 23:18 234,538 s0880aluedq80.dll
14/11/2005 09:20 236,436 ihakui.dll
11/11/2005 17:19 237,333 cdbjmon.dll
11/11/2005 16:44 236,283 adifile.dll
11/11/2005 00:43 <DIR> dllcache
04/04/2005 02:00 <DIR> Microsoft
6 File(s) 1,414,821 bytes
2 Dir(s) 11,650,607,104 bytes free
  • 0

#4
therock247uk
Posted 16 November 2005 - 04:39 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#5
stitch
Posted 16 November 2005 - 07:58 AM

stitch

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Rock,

I followed the advise from your last message, but ran the scan twice. (The first time my machine just rebooted, after running the second I found both logs).

Both are below:

==================================================
SCAN 1 LOG
==================================================

13:01: | Start of Session, 16 November 2005 |
13:01: Spy Sweeper started
13:01: Sweep initiated using definitions version 556
13:01: Starting Memory Sweep
13:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:01: Found Adware: icannnews
13:01: Detected running threat: C:\WINDOWS\system32\msutilse.dll (ID = 83)
13:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:02: Detected running threat: C:\WINDOWS\system32\s0880aluedq80.dll (ID = 83)
13:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:03: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:03: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:03: Memory Sweep Complete, Elapsed Time: 00:02:19
13:03: Starting Registry Sweep
13:03: Found Adware: look2me
13:03: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\smden\ (6 subtraces) (ID = 501239)
13:03: Found Trojan Horse: trojan-backdoor-us15info
13:03: HKU\S-1-5-21-1449655655-2801439982-1300003180-1005\software\microsoft\windows\currentversion\run\ || shell (ID = 650813)
13:03: Registry Sweep Complete, Elapsed Time:00:00:07
13:03: Starting Cookie Sweep
13:03: Cookie Sweep Complete, Elapsed Time: 00:00:00
13:03: Starting File Sweep
13:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:13: File Sweep Complete, Elapsed Time: 00:09:55
13:13: Full Sweep has completed. Elapsed time 00:12:26
13:13: Traces Found: 10
13:14: Removal process initiated
13:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:15: Quarantining All Traces: look2me
13:15: Quarantining All Traces: trojan-backdoor-us15info
13:15: Quarantining All Traces: icannnews
13:15: icannnews is in use. It will be removed on reboot.
13:15: C:\WINDOWS\system32\msutilse.dll is in use. It will be removed on reboot.
13:15: C:\WINDOWS\system32\s0880aluedq80.dll is in use. It will be removed on reboot.
13:15: Warning: Launched explorer.exe
13:15: Warning: Quarantine process could not restart Explorer.
13:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:16: Preparing to restart your computer. Please wait...
13:16: Removal process completed. Elapsed time 00:02:22
********
12:57: | Start of Session, 16 November 2005 |
12:57: Spy Sweeper started
12:57: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
12:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:58: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
12:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
12:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
13:01: | End of Session, 16 November 2005 |

==================================================
SCAN 2 LOG
==================================================

********
13:21: | Start of Session, 16 November 2005 |
13:21: Spy Sweeper started
13:21: Sweep initiated using definitions version 556
13:21: Starting Memory Sweep
13:22: Found Adware: icannnews
13:22: Detected running threat: C:\WINDOWS\system32\nqcfg.dll (ID = 83)
13:23: Detected running threat: C:\WINDOWS\system32\irnml5511.dll (ID = 83)
13:23: Memory Sweep Complete, Elapsed Time: 00:02:00
13:23: Starting Registry Sweep
13:24: Registry Sweep Complete, Elapsed Time:00:00:07
13:24: Starting Cookie Sweep
13:24: Cookie Sweep Complete, Elapsed Time: 00:00:00
13:24: Starting File Sweep
13:28: File Sweep Complete, Elapsed Time: 00:04:34
13:28: Full Sweep has completed. Elapsed time 00:06:46
13:28: Traces Found: 2
13:29: Removal process initiated
13:29: Quarantining All Traces: icannnews
13:29: icannnews is in use. It will be removed on reboot.
13:29: C:\WINDOWS\system32\nqcfg.dll is in use. It will be removed on reboot.
13:29: C:\WINDOWS\system32\irnml5511.dll is in use. It will be removed on reboot.
13:29: Removal process completed. Elapsed time 00:00:14
********
  • 0

#6
therock247uk
Posted 16 November 2005 - 11:22 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Reboot and post a new Hijackthis log here in a reply.
  • 0

#7
stitch
Posted 16 November 2005 - 01:56 PM

stitch

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Rock,

Here's the new HijackThis log after a reboot.

Many thanks

====================================================

Logfile of HijackThis v1.99.1
Scan saved at 19:47:50, on 16/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\utils\ewido\security suite\ewidoctrl.exe
C:\Program Files\utils\ewido\security suite\ewidoguard.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\Utils\AIM\AIMWDI~1.EXE
C:\Program Files\Utils\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = REMOVED_BY_USER
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = REMOVED_BY_USER
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = REMOVED_BY_USER
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [TweakAutomaticUpdates] C:\WINDOWS\orclobi\suspatch.exe /S /CHECK
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /OfficeXPHack
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\Utils\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Utils\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Utils\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = REMOVED_BY_USER
O17 - HKLM\Software\..\Telephony: DomainName = REMOVED_BY_USER
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = REMOVED_BY_USER
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\utils\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\utils\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)
  • 0

#8
therock247uk
Posted 16 November 2005 - 04:10 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
1. Go to Start > Settings > Control Panel > Add/Remove and uninstall the following.

SpywareCleaner as its rouge look here http://www.spywarewa...nti-spyware.htm

2. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - URLSearchHook: (no name) - <default> - (no file)

3. Reboot and delete the folders. (if present)

C:\Program Files\Spyware Cleaner

4. Then post a new Hijackthis log here in a reply.
  • 0

#9
stitch
Posted 16 November 2005 - 04:47 PM

stitch

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Rock,

SpywareCleaner wasn't installed and the folder didn't exist. Therefore I also deleted the 2 entries via HijackThis. Below is the new log.

One thing i've noticed since Look2Me is that when I start my computer my Wireless connection won't connect and shows the error "Another application is using the wireless connection" (or similar message).

To fix this I have to follow these steps:
1) In Network Connections right click and select properties
2) Go to the "Wireless Network" tab.
3) Tick the box "Use Windows to configure my wireless settings".
4) Click ok - computer then connects
5) Disconnect and then untick the box
6) Computer now connects as usual via Intel PROSet/Wireless

Thanks.

==========================================
New HijackThis Log
==========================================

Logfile of HijackThis v1.99.1
Scan saved at 22:37:17, on 16/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\utils\ewido\security suite\ewidoctrl.exe
C:\Program Files\utils\ewido\security suite\ewidoguard.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\Utils\AIM\AIMWDI~1.EXE
C:\Program Files\Utils\iTunes\iTunesHelper.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = REMOVED_BY_USER
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = REMOVED_BY_USER
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = REMOVED_BY_USER
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [TweakAutomaticUpdates] C:\WINDOWS\orclobi\suspatch.exe /S /CHECK
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /OfficeXPHack
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\Utils\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Utils\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Utils\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = REMOVED_BY_USER
O17 - HKLM\Software\..\Telephony: DomainName = REMOVED_BY_USER
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = REMOVED_BY_USER
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\utils\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\utils\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)
  • 0

#10
therock247uk
Posted 16 November 2005 - 05:03 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Go to http://virusscan.jotti.org/ upload the file C:\WINDOWS\orclobi\synctime.exe tell me the results.
  • 0

#11
stitch
Posted 16 November 2005 - 05:09 PM

stitch

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Rock,

This file is in my Base Install directory so shouldn't be a problem.

Here are the results:

===============================================
Service
Service load: 0% 100%

File: synctime.exe
Status: OK
MD5 c5f5ab8a285c23a534c5acae476e4636
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
  • 0

#12
therock247uk
Posted 25 November 2005 - 08:24 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
  • 0

#13
stitch
Posted 06 December 2005 - 10:19 AM

stitch

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Rock,

Apologies for the delay, just got back from vacation.

My machine does seem to be clean now. Cheers for the useful links as well.

Thanks again for your help on this, it's much appreciated.

Regards,
Stitch.
  • 0

#14
therock247uk
Posted 15 December 2005 - 09:04 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP