Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

can not get rid of Look2Me spyware [RESOLVED]

Started by rwilson881 , Dec 10 2005 10:28 PM

  • This topic is locked This topic is locked

#1
rwilson881
Posted 10 December 2005 - 10:28 PM

rwilson881

    New Member

  • Member
  • Pip
  • 5 posts
I’ve done all the things called out to do but still can not get rid of the Look2Me spyware.
I just get continuous popups or browser changes.
Trend houscall just crashed and would cause Firefox to close.
Here are my ewido and Hijack logs.
Thanks in advance
Rwilson881
BTW – We believe my son caused it by clicking on an AIM file from a friend.


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:23:30 PM, 12/10/2005
+ Report-Checksum: BB19D92E

+ Scan result:

[2364] C:\WINDOWS\system32\moxml4r.dll -> Spyware.Look2Me : Error during cleaning
[2652] C:\WINDOWS\system32\moxml4r.dll -> Spyware.Look2Me : Error during cleaning
:mozilla.11:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.249:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.251:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.252:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.263:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.299:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.300:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.301:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.303:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.304:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.321:C:\Documents and Settings\Ron\Application Data\Mozilla\Firefox\Profiles\default.ymf\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\WINDOWS\system32\DGDProX2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fp0803due.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ktr8l79u1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rugwizc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\t4r8le9u1h.dll -> Spyware.Look2Me : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 11:25:27 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\hijac\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sacredbrethre.../news_index.php
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O20 - Winlogon Notify: Fonts - C:\WINDOWS\system32\hr4205hoe.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#2
loophole
Posted 10 December 2005 - 11:11 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello rwilson881 :tazz:

Download L2mfix from one of these two locations:

http://www.downloads....org/l2mfix.exe
http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
  • 0

#3
rwilson881
Posted 11 December 2005 - 10:39 AM

rwilson881

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
had to fix the CMD error
here's the log

L2MFIX find log 120905
These are the registry keys present
***********************************************************

***********************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnno0153e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

***********************************************************

***********************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio

n\Internet Settings\User Agent\Post Platform]
"{68CF63E8-2DF6-CF21-133A-425044BB546B}"=""

***********************************************************

***********************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio

n\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property

Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property

Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL

Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL

Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL

Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft

Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor

Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file

compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL

Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL

Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for

Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon

Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell

Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties

Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties

Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet

Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options

Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU

AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History

AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder

AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple

AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc

Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser

Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History

Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search

Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy

Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAge

nt"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr

Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail

extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail

handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard

Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder

Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped)

Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell

Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp

Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace

ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp

Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp

Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp

Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS

object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu

Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder

Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character

Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play

as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player

Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player

Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for

RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{314268E5-3DF9-4B32-836F-497505C769E7}"="Oak SimpliCD context menu

shell extension."
"{BE390105-A9B4-4213-8367-564D0E539325}"="OAK Property Sheet Shell

Extension"
"{A7FB9CFE-4402-4A73-88F0-2261A7B5BA11}"="SimpliCD ROM"
"{c7745760-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{c7745761-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and

Defaults"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context

Menu"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property

Sheet Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon

Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property

Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager

Folder"
"{88CBF1CB-6F55-11D8-ABF8-C5E6374AC960}"="Cheetah Burner Context

Menu"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices

Menu"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play

Devices"
"{2b232f20-fa0d-11d1-8a3e-00c0f64105cd}"="Shuttle Shell Extension for

Drive"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper

Context Menu Integration"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell

Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook

Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook

Custom Icon Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext

Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{ACCE82FA-11CC-4A1D-BD51-DD49F8296C8A}"=""
"{246B8B06-3C7D-4FEE-AD63-78D19F06C65D}"=""
"{52983879-B310-47CE-9C52-A7F7410DDD49}"=""
"{3A470D18-F66C-4DD7-B9AA-EC5DF6270FCB}"=""
"{8FCF4E22-1289-4FFB-8D25-D5588D90826A}"=""
"{4BF3AEF4-55CE-4498-8C33-72342C9A0740}"=""

***********************************************************

***********************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8FCF4E22-1289-4FFB-8D25-D5588D90826

A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8FCF4E22-1289-4FFB-8D25-D5588D90826

A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8FCF4E22-1289-4FFB-8D25-D5588D90826

A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8FCF4E22-1289-4FFB-8D25-D5588D90826

A}\InprocServer32]
@="C:\\WINDOWS\\system32\\QMENCUTL.DLL"
"ThreadingModel"="Apartment"

***********************************************************

***********************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
0go40948.dll Sat Dec 3 2005 3:15:28a A.... 49,152 48.00 K
0go4efoy.dll Sat Dec 3 2005 3:15:28a A.... 38,400 37.50 K
dnno01~1.dll Sat Dec 10 2005 7:01:06p ..S.R 235,926 230.39 K
en64l1~1.dll Sat Dec 10 2005 11:38:08p ..S.R 235,575 230.05 K
msvbvm60.dll Thu Nov 17 2005 6:41:24p A.... 1,388,544 1.32 M
qmencutl.dll Sun Dec 11 2005 11:29:04a ..S.R 235,926 230.39 K

6 items found: 6 files (3 H/S), 0 directories.
Total of file sizes: 2,183,523 bytes 2.08 M
Locate .tmp files:

No matches found.
***********************************************************

***********************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 14F3-6BBA

Directory of C:\WINDOWS\System32

12/11/2005 11:29 AM 235,926 QMENCUTL.DLL
12/10/2005 11:38 PM 235,575 en64l1jq1.dll
12/10/2005 07:01 PM 235,926 dnno0153e.dll
09/09/2005 10:54 AM <DIR> dllcache
11/01/2003 01:09 PM <DIR> Microsoft
01/10/2003 01:37 PM 32

{3B8685AA-0428-463A-AB38-67C603990303}.dat
01/10/2003 01:37 PM 32

{70E85C78-8043-4F04-B47C-C37C70F10942}.dat
01/10/2003 01:36 PM 32

{39B67E31-6CFA-4745-AD8D-04C45B630F9A}.dat
01/10/2003 01:34 PM 32

{196BC611-4005-43C9-B031-0981642AF117}.dat
01/10/2003 01:34 PM 32

{A97DF97F-D93F-4678-A35B-442BE3257C63}.dat
01/10/2003 01:34 PM 32

{AA8EA781-2FA9-4CC0-B54E-A6C7B2E3CD0A}.dat
01/05/2002 04:40 AM 487,424 msvcp70.dll
04/05/2001 09:43 AM 94,208 msstkprp.dll
11 File(s) 1,289,251 bytes
2 Dir(s) 19,191,410,688 bytes free

thanks
Ron
  • 0

#4
loophole
Posted 11 December 2005 - 03:51 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.
  • 0

#5
rwilson881
Posted 11 December 2005 - 04:22 PM

rwilson881

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
here they are:

L2mfix Beta 120905
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 492 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 568 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1128 'explorer.exe'
Killing PID 1128 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1776 'rundll32.exe'
Granting SeDebugPrivilege to Administrators ... successful
Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332
Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332
Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332
Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332
Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\en64l1jq1.dll
0 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv8ql9l51.dll
0 file(s) copied.
Backing Up: C:\WINDOWS\system32\ocbcbcp.dll
0 file(s) copied.
deleting: C:\WINDOWS\system32\en64l1jq1.dll
Successfully Deleted: C:\WINDOWS\system32\en64l1jq1.dll
deleting: C:\WINDOWS\system32\mv8ql9l51.dll
Successfully Deleted: C:\WINDOWS\system32\mv8ql9l51.dll
deleting: C:\WINDOWS\system32\ocbcbcp.dll
Successfully Deleted: C:\WINDOWS\system32\ocbcbcp.dll


Zipping up files for submission:
zip warning: name not matched: guard.tmp

zip error: Nothing to do! (backup.zip)
zip warning: name not matched: C:\Documents and Settings\Ron\Desktop\l2mfix\backregs\*.reg

zip error: Nothing to do! (backup.zip)

Restoring Sedebugprivilege:

Restoring Windows Update Certificates.:

deleting local copy: en64l1jq1.dll
deleting local copy: mv8ql9l51.dll
deleting local copy: ocbcbcp.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en64l1jq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\en64l1jq1.dll
C:\WINDOWS\system32\mv8ql9l51.dll
C:\WINDOWS\system32\ocbcbcp.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8FCF4E22-1289-4FFB-8D25-D5588D90826A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8FCF4E22-1289-4FFB-8D25-D5588D90826A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8FCF4E22-1289-4FFB-8D25-D5588D90826A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8FCF4E22-1289-4FFB-8D25-D5588D90826A}\InprocServer32]
@="C:\\WINDOWS\\system32\\ocbcbcp.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{ACCE82FA-11CC-4A1D-BD51-DD49F8296C8A}"=
"{246B8B06-3C7D-4FEE-AD63-78D19F06C65D}"=
"{52983879-B310-47CE-9C52-A7F7410DDD49}"=
"{3A470D18-F66C-4DD7-B9AA-EC5DF6270FCB}"=
"{8FCF4E22-1289-4FFB-8D25-D5588D90826A}"=
"{4BF3AEF4-55CE-4498-8C33-72342C9A0740}"=
[-HKEY_CLASSES_ROOT\CLSID\{ACCE82FA-11CC-4A1D-BD51-DD49F8296C8A}]
[-HKEY_CLASSES_ROOT\CLSID\{246B8B06-3C7D-4FEE-AD63-78D19F06C65D}]
[-HKEY_CLASSES_ROOT\CLSID\{52983879-B310-47CE-9C52-A7F7410DDD49}]
[-HKEY_CLASSES_ROOT\CLSID\{3A470D18-F66C-4DD7-B9AA-EC5DF6270FCB}]
[-HKEY_CLASSES_ROOT\CLSID\{8FCF4E22-1289-4FFB-8D25-D5588D90826A}]
[-HKEY_CLASSES_ROOT\CLSID\{4BF3AEF4-55CE-4498-8C33-72342C9A0740}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
C:\WINDOWS\System32\8FCF4E22-1289-4FFB-8D25-D5588D90826A.reg
Checking for L2MFix account(0=no 1=yes):
0


Logfile of HijackThis v1.99.1
Scan saved at 5:20:31 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\webshots.scr
C:\hijac\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sacredbrethre.../news_index.php
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\en64l1jq1.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



OH Yeah, GO COLTS
thanks
Ron
  • 0

#6
loophole
Posted 11 December 2005 - 04:45 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Yes, go colts I haven't posted much today. 13-0

Ok looks like we got it. Just some final steps to do

Hijack fixes

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\en64l1jq1.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked

Please run this online virus scan:
Panda Active Scan You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here. Also post a new Hijack log

  • 0

#7
rwilson881
Posted 11 December 2005 - 06:05 PM

rwilson881

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
So far no pop ups or redirects. Great job Loophole
The Panda online scan would not start. I waited over a hour and tried again.
Running ewido scan now, I will post it's log and Hijack log when done.
thanks
Ron
  • 0

#8
rwilson881
Posted 11 December 2005 - 06:40 PM

rwilson881

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
everything looks here's the logs

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:36:10 PM, 12/11/2005
+ Report-Checksum: F3A0DA50

+ Scan result:

No infected objects found.


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 7:36:43 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\webshots.scr
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\hijac\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sacredbrethre.../news_index.php
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Go Colts
superbowl is next

Thanks again
ron
  • 0

#9
loophole
Posted 11 December 2005 - 07:20 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
16-0 maybe? we'll see......I am willing to bet its clean so i'm not going to ask you run a differnt scan :)

Congratulations

your system is clean :tazz:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#10
loophole
Posted 23 December 2005 - 03:16 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP