Aller au contenu principal

Please help with AIM Virus

Commentaires

47 commentaires

  • Customer

    Path not Found: C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\?ICROSOFT\?HKDSK.EXE

     

    thats all that came up

    0
  • Support

    Most of that isn't bad...the files in Symantec Quarantine, and in Killbox are protected from running as they were nuked by those tools. The ones in System Volume Information is your System Restore backups which we will purge when you're all clean - right now nothing can run from there as long as you don't go in and choose to restore to an prior date (so don't do that)

     

    In fact, I'm going to ask you to send me the Killbox files after this when we get the rest of the files that need nuking

     

    * Run Killbox.exe.

     

    * Select "Delete on Reboot"

     

    C:\bootdll.pif

    C:\dllboot.pif

    C:\dllfix.pif

    C:\loaderboot.pif

    C:\mfix.bat

    C:\sysini.bat

     

    * Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

     

    * Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

     

    ......................

    Next, Post a report from this tool

    F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

    Doubleclick on bibeta.exe to run it.

    Click the *I accept* button near the bottom of that page.

    Download and run blacklite click > scan then > next, next again then exit

    there will be a new text file near blacklite.Post it please. The text file is named:

    fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

    !!Do not rename any files yet

    0
  • Customer

    **this is in normal mode**

     

    Logfile of HijackThis v1.99.1

    Scan saved at 1:38:47 AM, on 5/17/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\WINDOWS\wmiapsrv.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\WINDOWS\system32\mptft.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\WINDOWS\system32\ssec.exe

    C:\WINDOWS\system32\tfthot.exe

    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    C:\Program Files\Apoint\Apntex.exe

    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Mozilla Firefox\firefox.exe

    C:\WINDOWS\system32\NOTEPAD.EXE

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20063&k=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20063&k=

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\frwdx.exe

    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\i824lifq182e.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

    0
  • Support

    You've got a whole boatload of malware!

     

    First, you've had the Alcra/Alcan worm.

     

    Please download Brute Force Uninstaller.

    Unzip it to it’s own folder (c:\BFU)

     

    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

     

    Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

     

    In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu

    Press execute and let it do it’s job.

     

    Wait for the complete script execution box to pop up and press OK.

     

    click "save"

     

    IN "filename" enter log.txt

     

    click exit to exit the BFU program.

     

    Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder ..........

     

    Then, please get an online AV scan at one of the following:

     

    eTrust Antivirus Web Scanner

    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

    (if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

    It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

     

    Trend Micro (PC-cillin) - Free on-line Scan

    http://housecall.antivirus.com

     

    Panda's Active Scan

    http://www.pandasoftware.com/products/activescan.htm

     

    Try the Kaspersky free online scanner.

    http://www.kaspersky.com/virusscanner

    ........................

    Finally, update your Ad-Aware program and do a full system scan

    Please can you make sure that you are using

    Ad-aware SE Build 106r1

    Note: If your version is 6.0 and not the SE, you need to uninstall and get the latest version from the above link.

     

    [if not Uninstall your old Ad-aware first then install SE]

    Then use the WebUpDate

    to get the latest Definition file

    SE1R108 17.05.2006

    To do this Open Ad-aware

    Click the WebUpDate

    button at the top right hand side of the Ad-aware screen (The world globe).

    Click "Connect"

    Ad-aware will then download the latest Definition file for you.

    To make sure it is updated , look at the main

    Ad-aware screen, and look under "Initialization Status"

    It should say the Latest Definition file.

    then scan doing a "Full Scan" and then post your logfile here by using the Add-Reply Feature .

    As Logs are stored in :

    C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.

    An easy way to get there is to

    click Start,

    click Run

    And type in and press ENTER: %appdata%

    then click Lavasoft

    then Ad-Aware

    and then Logs.

    scroll down to find the latest one that you have

    (by date & time)

    and open it right Click select all

    copy and then paste the contents of it here.

    (Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)

    I recommend that you use the WebUpDate just before you scan that way you will always be up to date.

     

    (note The Application Data is a hidden folder, so you will need to show hidden files and folders)

    0
  • Customer

    i didnt have the log on the first time i ran it, didnt notice it wasnt checked. im assuming since they all say not found it worked though. i am running the adaware now and ill post that soon

     

    BFU v1.00.9

    Windows XP SP2 (WinNT 5.01.2600 SP2)

    Script started at 12:38:53 PM, on 5/17/2006

     

    Option Unload Explorer: Yes

    Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)

    Failed: ServiceStop Network Monitor (service not found)

    Failed: ServiceStop cmdService (service not found)

    Failed: ServiceDisable Network Monitor (service not found)

    Failed: ServiceDisable cmdService (service not found)

    Failed: ServiceDelete Network Monitor (service not found)

    Failed: ServiceDelete cmdService (service not found)

    Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)

    Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)

    Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)

    Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|SystemTools (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|eventwvr (key not found)

    Option pause between commands: 300 ms

    Option pause between commands: 50 ms

    Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)

    Failed: FolderDelete C:\Program Files\winupdates (folder not found)

    Failed: FolderDelete C:\Program Files\winupdate (folder not found)

    Failed: FolderDelete C:\Program Files\winsupdater (folder not found)

    Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)

    Failed: FolderDelete C:\Program Files\MsMovies (folder not found)

    Failed: FolderDelete C:\Program Files\wmplayer (folder not found)

    Failed: FolderDelete C:\Program Files\outlook (folder not found)

    Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

    Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)

    Failed: FolderDelete C:\DOCUME~1\BILLBR~1\LOCALS~1\Temp\Cookies (operation failed)

    Failed: FolderDelete C:\DOCUME~1\BILLBR~1\LOCALS~1\Temp\History (operation failed)

    Failed: FolderDelete C:\DOCUME~1\BILLBR~1\LOCALS~1\Temp\Temporary Internet Files (operation failed)

    Failed: FileDelete C:\DOCUME~1\BILLBR~1\LOCALS~1\Temp\~DFB95B.tmp (operation failed)

    Failed: FolderDelete C:\WINDOWS\Temp\Cookies (operation failed)

    Failed: FolderDelete C:\WINDOWS\Temp\History (operation failed)

    Failed: FolderDelete C:\WINDOWS\Temp\Temporary Internet Files (operation failed)

    Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)

    Failed: FolderDelete C:\Program Files\DNS (folder not found)

    Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)

    Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)

    Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)

    Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)

    Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)

    Failed: FolderDelete C:\Program Files\Update06 (folder not found)

    Failed: FolderDelete C:\Program Files\Update03 (folder not found)

    Failed: FolderDelete C:\Program Files\Update04 (folder not found)

    Failed: FolderDelete C:\Program Files\Update08 (folder not found)

    Failed: FolderDelete C:\Program Files\W-Update (folder not found)

    Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)

    Failed: FolderDelete C:\Program Files\Cas (folder not found)

    Failed: FolderDelete C:\Program Files\CasStub (folder not found)

    Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)

    Failed: FolderDelete C:\Program Files\ipwins (folder not found)

    Failed: FolderDelete C:\temp (folder not found)

    Failed: FolderCreate C:\bintheredunthat (folder already exists)

    Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)

    Script completed.

    0
  • Support

    No, it's ok - it just lists the ones not found. It covers a lot of different variants.

     

    Can you scan and post fresh HijackThis logs? Do one in Safe mode and one in normal mode again. You had a lot of difference between the two and for some reason the majority of the malware was showing in safe mode.

    0
  • Customer

    ***Safe Mode Hijack this***

     

    Logfile of HijackThis v1.99.1

    Scan saved at 1:40:18 PM, on 5/17/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\WINDOWS\system32\userinit.exe

    C:\WINDOWS\Explorer.EXE

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20063&k=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20063&k=

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\fp8m03l1e.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

    0
  • Customer

    here is the ad-aware log and the hijackthis from normal mode. i will put up the safe mode one soon.

     

    Ad-Aware SE Build 1.06r1

    Logfile Created on:Wednesday, May 17, 2006 1:12:30 PM

    Created with Ad-Aware SE Personal, free for private use.

    Using definitions file:SE1R107 09.05.2006

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    References detected during the scan:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    ABetterInternet.Nail(TAC index:5):1 total references

    Adware.Look2Me(TAC index:7):3 total references

    Tracking Cookie(TAC index:3):4 total references

    Win32.Trojan.Downloader(TAC index:10):2 total references

    Windows(TAC index:3):1 total references

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Ad-Aware SE Settings

    ===========================

    Set : Search for low-risk threats

    Set : Safe mode (always request confirmation)

    Set : Scan active processes

    Set : Scan registry

    Set : Deep-scan registry

    Set : Scan my IE Favorites for banned URLs

    Set : Scan within archives

    Set : Scan my Hosts file

     

    Extended Ad-Aware SE Settings

    ===========================

    Set : Unload recognized processes & modules during scan

    Set : Scan registry for all users instead of current user only

    Set : Always try to unload modules before deletion

    Set : During removal, unload Explorer and IE if necessary

    Set : Let Windows remove files in use at next reboot

    Set : Delete quarantined objects after restoring

    Set : Include basic Ad-Aware settings in log file

    Set : Include additional Ad-Aware settings in log file

    Set : Include reference summary in log file

    Set : Include alternate data stream details in log file

    Set : Play sound at scan completion if scan locates critical objects

     

     

    5-17-2006 1:12:30 PM - Scan started. (Full System Scan)

     

    Listing running processes

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    #:1 [smss.exe]

    FilePath : \SystemRoot\System32\

    ProcessID : 836

    ThreadCreationTime : 5-17-2006 4:27:03 PM

    BasePriority : Normal

     

     

    #:2 [winlogon.exe]

    FilePath : \??\C:\WINDOWS\system32\

    ProcessID : 1008

    ThreadCreationTime : 5-17-2006 4:27:34 PM

    BasePriority : High

     

     

    Adware.Look2Me Object Recognized!

    Type : Process

    Data : en4ul1h91.dll

    TAC Rating : 7

    Category : Adware

    Comment : iieshare.dll.dmp

    Object : C:\WINDOWS\system32\

     

     

    Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\en4ul1h91.dll)

     

     

    #:3 [services.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1052

    ThreadCreationTime : 5-17-2006 4:27:34 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Services and Controller app

    InternalName : services.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : services.exe

     

    #:4 [lsass.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1064

    ThreadCreationTime : 5-17-2006 4:27:34 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : LSA Shell (Export Version)

    InternalName : lsass.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : lsass.exe

     

    #:5 [ati2evxx.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1252

    ThreadCreationTime : 5-17-2006 4:27:37 PM

    BasePriority : Normal

    FileVersion : 6.14.10.4118

    ProductVersion : 6.14.10.4118.02

    ProductName : ATI External Event Utility for WindowsNT and Windows9X

    CompanyName : ATI Technologies Inc.

    FileDescription : ATI External Event Utility EXE Module

    InternalName : ATI2EVXX.EXE

    LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.

    OriginalFilename : ATI2EVXX.EXE

     

    #:6 [svchost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1276

    ThreadCreationTime : 5-17-2006 4:27:37 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:7 [svchost.exe]

    FilePath : C:\WINDOWS\System32\

    ProcessID : 1496

    ThreadCreationTime : 5-17-2006 4:27:37 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:8 [evteng.exe]

    FilePath : C:\Program Files\Intel\Wireless\Bin\

    ProcessID : 1552

    ThreadCreationTime : 5-17-2006 4:27:38 PM

    BasePriority : Normal

    FileVersion : 9, 0, 1, 12

    ProductVersion : 9, 0, 0, 0

    ProductName : EvtEng Module

    CompanyName : Intel Corporation

    FileDescription : EvtEng Module

    InternalName : EvtEng

    LegalCopyright : Copyright © Intel Corporation 1999-2004

    OriginalFilename : EvtEng.EXE

     

    #:9 [s24evmon.exe]

    FilePath : C:\Program Files\Intel\Wireless\Bin\

    ProcessID : 1672

    ThreadCreationTime : 5-17-2006 4:27:38 PM

    BasePriority : Normal

    FileVersion : 9, 0, 1, 41

    ProductVersion : 9, 0, 0, 0

    ProductName : Mobile Unit Support Service

    CompanyName : Intel Corporation

    FileDescription : Event Monitor - Supports driver extensions to NIC Driver for wireless adapters.

    InternalName : S24EvMon

    LegalCopyright : Copyright © Intel Corporation 1999-2004

    OriginalFilename : S24EvMon.exe

     

    #:10 [zcfgsvc.exe]

    FilePath : C:\Program Files\Intel\Wireless\Bin\

    ProcessID : 1740

    ThreadCreationTime : 5-17-2006 4:27:39 PM

    BasePriority : Normal

    FileVersion : 9, 0, 1, 45

    ProductVersion : 1, 0, 0, 2

    ProductName : ZeroCfgSvc Application

    CompanyName : Intel Corporation

    FileDescription : ZeroCfgSvc MFC Application

    InternalName : ZeroCfgSvc

    LegalCopyright : Copyright © Intel Corporation 1999-2004

    OriginalFilename : ZeroCfgSvc.EXE

     

    #:11 [wlkeeper.exe]

    FilePath : C:\Program Files\Intel\Wireless\Bin\

    ProcessID : 1756

    ThreadCreationTime : 5-17-2006 4:27:39 PM

    BasePriority : Normal

    FileVersion : 9, 0, 1, 14

    ProductVersion : 1, 0, 0, 1

    ProductName : SSOFSet Service

    CompanyName : Intel® Corporation

    FileDescription : WLKEEPER

    InternalName : WLKEEPER

    LegalCopyright : Copyright © 2004

    OriginalFilename : WLKEEPER.exe

     

    #:12 [ccsetmgr.exe]

    FilePath : C:\Program Files\Common Files\Symantec Shared\

    ProcessID : 416

    ThreadCreationTime : 5-17-2006 4:27:41 PM

    BasePriority : Normal

    FileVersion : 103.5.1.9

    ProductVersion : 103.5.1.9

    ProductName : Client and Host Security Platform

    CompanyName : Symantec Corporation

    FileDescription : Symantec Settings Manager Service

    InternalName : ccSetMgr

    LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

    OriginalFilename : ccSetMgr.exe

     

    #:13 [ccevtmgr.exe]

    FilePath : C:\Program Files\Common Files\Symantec Shared\

    ProcessID : 440

    ThreadCreationTime : 5-17-2006 4:27:41 PM

    BasePriority : Normal

    FileVersion : 103.5.1.9

    ProductVersion : 103.5.1.9

    ProductName : Client and Host Security Platform

    CompanyName : Symantec Corporation

    FileDescription : Symantec Event Manager Service

    InternalName : ccEvtMgr

    LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

    OriginalFilename : ccEvtMgr.exe

     

    #:14 [spoolsv.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 636

    ThreadCreationTime : 5-17-2006 4:27:41 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

    ProductVersion : 5.1.2600.2696

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Spooler SubSystem App

    InternalName : spoolsv.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : spoolsv.exe

     

    #:15 [ati2evxx.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 804

    ThreadCreationTime : 5-17-2006 4:27:43 PM

    BasePriority : Normal

    FileVersion : 6.14.10.4118

    ProductVersion : 6.14.10.4118.02

    ProductName : ATI External Event Utility for WindowsNT and Windows9X

    CompanyName : ATI Technologies Inc.

    FileDescription : ATI External Event Utility EXE Module

    InternalName : ATI2EVXX.EXE

    LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.

    OriginalFilename : ATI2EVXX.EXE

     

    #:16 [apoint.exe]

    FilePath : C:\Program Files\Apoint\

    ProcessID : 1300

    ThreadCreationTime : 5-17-2006 4:27:44 PM

    BasePriority : Normal

    FileVersion : 5.5.101.141

    ProductVersion : 5.5.101.141

    ProductName : Alps Pointing-device Driver

    CompanyName : Alps Electric Co., Ltd.

    FileDescription : Alps Pointing-device Driver

    InternalName : Alps Pointing-device Driver

    LegalCopyright : Copyright © 1999-2004 Alps Electric Co., Ltd.

    OriginalFilename : Apoint.exe

     

    #:17 [ifrmewrk.exe]

    FilePath : C:\Program Files\Intel\Wireless\Bin\

    ProcessID : 1308

    ThreadCreationTime : 5-17-2006 4:27:44 PM

    BasePriority : Normal

    FileVersion : 9, 0, 1, 19

    ProductVersion : 9, 0, 0, 0

    ProductName : Intel PROSet/Wireless

    CompanyName : Intel Corporation

    FileDescription : Intel Framework MFC Application

    InternalName : Framework

    LegalCopyright : Copyright © Intel Corporation 1999-2004

    OriginalFilename : iFramewrk.exe

     

    #:18 [atiptaxx.exe]

    FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\

    ProcessID : 1320

    ThreadCreationTime : 5-17-2006 4:27:44 PM

    BasePriority : Normal

    FileVersion : 6.14.10.5160

    ProductVersion : 6.14.10.5160

    ProductName : ATI Desktop Component

    CompanyName : ATI Technologies, Inc.

    FileDescription : ATI Desktop Control Panel

    InternalName : Atiptaxx.exe

    LegalCopyright : Copyright © 1998-2005 ATI Technologies Inc.

    OriginalFilename : Atiptaxx.exe

     

    #:19 [ccapp.exe]

    FilePath : C:\Program Files\Common Files\Symantec Shared\

    ProcessID : 1332

    ThreadCreationTime : 5-17-2006 4:27:44 PM

    BasePriority : Normal

    FileVersion : 103.5.1.9

    ProductVersion : 103.5.1.9

    ProductName : Client and Host Security Platform

    CompanyName : Symantec Corporation

    FileDescription : Symantec User Session

    InternalName : ccApp

    LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

    OriginalFilename : ccApp.exe

     

    #:20 [vptray.exe]

    FilePath : C:\PROGRA~1\SYMANT~1\

    ProcessID : 796

    ThreadCreationTime : 5-17-2006 4:27:45 PM

    BasePriority : Normal

    FileVersion : 10.0.0.359

    ProductVersion : 10.0.0.359

    ProductName : Symantec AntiVirus

    CompanyName : Symantec Corporation

    FileDescription : Symantec AntiVirus

    LegalCopyright : Copyright 1991 - 2005 Symantec Corporation. All rights reserved.

     

    #:21 [realsched.exe]

    FilePath : C:\Program Files\Common Files\Real\Update_OB\

    ProcessID : 1640

    ThreadCreationTime : 5-17-2006 4:27:45 PM

    BasePriority : Normal

    FileVersion : 0.1.0.3492

    ProductVersion : 0.1.0.3492

    ProductName : RealPlayer (32-bit)

    CompanyName : RealNetworks, Inc.

    FileDescription : RealNetworks Scheduler

    InternalName : schedapp

    LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004

    LegalTrademarks : RealAudio is a trademark of RealNetworks, Inc.

    OriginalFilename : realsched.exe

     

    #:22 [dvdlauncher.exe]

    FilePath : C:\Program Files\CyberLink\PowerDVD\

    ProcessID : 1568

    ThreadCreationTime : 5-17-2006 4:27:45 PM

    BasePriority : Normal

    FileVersion : 3.00.0000

    ProductVersion : 3.00.0000

    ProductName : Cyberlink PowerCinema 3.0

    CompanyName : CyberLink Corp.

    FileDescription : CyberLink PowerCinema Resident Program

    InternalName : CyberLink PowerCinema Resident Program

    LegalCopyright : Copyright © 2003 CyberLink Corp.

    OriginalFilename : DVDLauncher.EXE

     

    #:23 [quickset.exe]

    FilePath : C:\Program Files\Dell\QuickSet\

    ProcessID : 1572

    ThreadCreationTime : 5-17-2006 4:27:45 PM

    BasePriority : Normal

    FileVersion : 0, 5, 5, 0

    ProductVersion : 0, 5, 5, 0

    ProductName : QuickSet Application

    FileDescription : QuickSet MFC Application

    InternalName : direct

    LegalCopyright : Copyright © 2001

    OriginalFilename : direct.EXE

     

    #:24 [mptft.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1452

    ThreadCreationTime : 5-17-2006 4:27:45 PM

    BasePriority : Normal

     

     

    #:25 [ctfmon.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1528

    ThreadCreationTime : 5-17-2006 4:27:45 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : CTF Loader

    InternalName : CTFMON

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : CTFMON.EXE

     

    #:26 [ssec.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1736

    ThreadCreationTime : 5-17-2006 4:27:46 PM

    BasePriority : Normal

     

     

    #:27 [tfthot.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 1752

    ThreadCreationTime : 5-17-2006 4:27:47 PM

    BasePriority : Normal

    FileVersion : 1, 4, 0, 0

    ProductVersion : 1, 4, 0, 0

    LegalCopyright : Copyright © 2005

     

    #:28 [apntex.exe]

    FilePath : C:\Program Files\Apoint\

    ProcessID : 1884

    ThreadCreationTime : 5-17-2006 4:27:47 PM

    BasePriority : Normal

    FileVersion : 5.5.1.19

    ProductVersion : 5.5.1.19

    ProductName : Alps Pointing-device Driver for Windows NT/2000/XP

    CompanyName : Alps Electric Co., Ltd.

    FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP

    InternalName : Alps Pointing-device Driver for Windows NT/2000/XP

    LegalCopyright : Copyright © 1998-2004 Alps Electric Co., Ltd.

    OriginalFilename : ApntEx.exe

     

    #:29 [msnmsgr.exe]

    FilePath : C:\Program Files\MSN Messenger\

    ProcessID : 1928

    ThreadCreationTime : 5-17-2006 4:27:48 PM

    BasePriority : Normal

    FileVersion : 7.5.0324

    ProductVersion : 7.5.0324

    ProductName : MSN Messenger

    CompanyName : Microsoft Corporation

    FileDescription : MSN Messenger

    InternalName : msnmsgr

    LegalCopyright : Copyright © Microsoft Corporation 1997-2004

    LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.

    OriginalFilename : msnmsgr.exe

     

    #:30 [cvpnd.exe]

    FilePath : C:\Program Files\Cisco Systems\VPN Client\

    ProcessID : 360

    ThreadCreationTime : 5-17-2006 4:27:50 PM

    BasePriority : Normal

    FileVersion : 4.0.3 (D)

    ProductVersion : 4.0.3 (D)

    ProductName : Cisco Systems VPN Client

    CompanyName : Cisco Systems, Inc.

    FileDescription : Cisco Systems VPN Client

    InternalName : cvpnd

    LegalCopyright : Copyright © 1998-2003 Cisco Systems, Inc.

    OriginalFilename : CVPND.EXE

     

    #:31 [defwatch.exe]

    FilePath : C:\Program Files\Symantec AntiVirus\

    ProcessID : 504

    ThreadCreationTime : 5-17-2006 4:27:52 PM

    BasePriority : Normal

    FileVersion : 10.0.0.359

    ProductVersion : 10.0.0.359

    ProductName : Symantec AntiVirus

    CompanyName : Symantec Corporation

    FileDescription : Virus Definition Daemon

    InternalName : DefWatch

    LegalCopyright : Copyright 1998 - 2005 Symantec Corporation. All rights reserved.

    OriginalFilename : DefWatch.exe

     

    #:32 [ehrecvr.exe]

    FilePath : C:\WINDOWS\eHome\

    ProcessID : 520

    ThreadCreationTime : 5-17-2006 4:27:52 PM

    BasePriority : Above Normal

    FileVersion : 5.1.2715.2773 (xpsp(wmbla).051011-0745)

    ProductVersion : 5.1.2715.2773

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Media Center Receiver Service

    InternalName : ehRecvr

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : ehRecvr.exe

     

    #:33 [ehsched.exe]

    FilePath : C:\WINDOWS\eHome\

    ProcessID : 532

    ThreadCreationTime : 5-17-2006 4:27:53 PM

    BasePriority : Normal

    FileVersion : 5.1.2710.2732 (xpsp(wmbla).050805-1239)

    ProductVersion : 5.1.2710.2732

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Media Center Scheduler Service

    InternalName : ehSched

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : ehSched.exe

     

    #:34 [mdm.exe]

    FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\

    ProcessID : 1680

    ThreadCreationTime : 5-17-2006 4:27:53 PM

    BasePriority : Normal

    FileVersion : 7.00.9466

    ProductVersion : 7.00.9466

    ProductName : Microsoft® Visual Studio .NET

    CompanyName : Microsoft Corporation

    FileDescription : Machine Debug Manager

    InternalName : mdm.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : mdm.exe

     

    #:35 [nicconfigsvc.exe]

    FilePath : C:\Program Files\Dell\NICCONFIGSVC\

    ProcessID : 880

    ThreadCreationTime : 5-17-2006 4:27:54 PM

    BasePriority : Normal

    FileVersion : 1, 0, 0, 1

    ProductVersion : 1, 0, 0, 1

    ProductName : NicConfigSvc

    CompanyName : Dell Inc.

    FileDescription : Internal Network Card Power Management Service

    InternalName : TestMFCAppWiz

    LegalCopyright : Copyright © 2004 Dell Inc.

    OriginalFilename : NicConfigSvc.EXE

     

    #:36 [ymsgr_tray.exe]

    FilePath : C:\PROGRA~1\Yahoo!\MESSEN~1\

    ProcessID : 2176

    ThreadCreationTime : 5-17-2006 4:27:55 PM

    BasePriority : Normal

     

     

    #:37 [regsrvc.exe]

    FilePath : C:\Program Files\Intel\Wireless\Bin\

    ProcessID : 2368

    ThreadCreationTime : 5-17-2006 4:27:57 PM

    BasePriority : Normal

    FileVersion : 9, 0, 1, 10

    ProductVersion : 9, 0, 0, 0

    ProductName : RegSrvc Module

    CompanyName : Intel Corporation

    FileDescription : RegSrvc Module

    InternalName : RegSrvc

    LegalCopyright : Copyright © Intel Corporation 1999-2004

    OriginalFilename : RegSrvc.EXE

    Comments : Registry Interface for Intel Wireless Products

     

    #:38 [rtvscan.exe]

    FilePath : C:\Program Files\Symantec AntiVirus\

    ProcessID : 2568

    ThreadCreationTime : 5-17-2006 4:27:57 PM

    BasePriority : Normal

    FileVersion : 10.0.0.359

    ProductVersion : 10.0.0.359

    ProductName : Symantec AntiVirus

    CompanyName : Symantec Corporation

    FileDescription : Symantec AntiVirus

    LegalCopyright : Copyright 1991 - 2005 Symantec Corporation. All rights reserved.

     

    #:39 [wmiapsrv.exe]

    FilePath : C:\WINDOWS\

    ProcessID : 2648

    ThreadCreationTime : 5-17-2006 4:27:57 PM

    BasePriority : Normal

     

     

    #:40 [dllhost.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 3716

    ThreadCreationTime : 5-17-2006 4:28:03 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : COM Surrogate

    InternalName : dllhost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : dllhost.exe

     

    #:41 [svchost.exe]

    FilePath : C:\WINDOWS\System32\

    ProcessID : 3144

    ThreadCreationTime : 5-17-2006 4:28:19 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe

     

    #:42 [iexplore.exe]

    FilePath : C:\Program Files\Internet Explorer\

    ProcessID : 1352

    ThreadCreationTime : 5-17-2006 4:32:55 PM

    BasePriority : Normal

    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 6.00.2900.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Internet Explorer

    InternalName : iexplore

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : IEXPLORE.EXE

     

    #:43 [bfu.exe]

    FilePath : C:\BFU\

    ProcessID : 3848

    ThreadCreationTime : 5-17-2006 4:34:50 PM

    BasePriority : Normal

    FileVersion : 1.00.0009

    ProductVersion : 1.00.0009

    ProductName : BFU

    CompanyName : Soeperman Enterprises Ltd.

    FileDescription : BFU - Brute Force Uninstaller

    InternalName : BFU

    LegalCopyright : Freeware

    OriginalFilename : BFU.exe

     

    #:44 [notepad.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 308

    ThreadCreationTime : 5-17-2006 4:40:52 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Notepad

    InternalName : Notepad

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : NOTEPAD.EXE

     

    #:45 [rundll32.exe]

    FilePath : C:\WINDOWS\system32\

    ProcessID : 3392

    ThreadCreationTime : 5-17-2006 4:54:44 PM

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Run a DLL as an App

    InternalName : rundll

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : RUNDLL.EXE

     

    Adware.Look2Me Object Recognized!

    Type : Process

    Data : guard.tmp

    TAC Rating : 7

    Category : Adware

    Comment : iieshare.dll.dmp

    Object : C:\WINDOWS\system32\

     

     

    Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\guard.tmp)

     

    "C:\WINDOWS\system32\rundll32.exe"Process terminated successfully

     

    #:46 [explorer.exe]

    FilePath : C:\WINDOWS\

    ProcessID : 1776

    ThreadCreationTime : 5-17-2006 4:56:03 PM

    BasePriority : Normal

    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 6.00.2900.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Windows Explorer

    InternalName : explorer

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : EXPLORER.EXE

     

    Adware.Look2Me Object Recognized!

    Type : Process

    Data : ivsetup.dll

    TAC Rating : 7

    Category : Adware

    Comment : iieshare.dll.dmp

    Object : C:\WINDOWS\system32\

     

     

    Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\ivsetup.dll)

     

     

    #:47 [ad-aware.exe]

    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

    ProcessID : 3204

    ThreadCreationTime : 5-17-2006 5:12:20 PM

    BasePriority : Normal

    FileVersion : 6.2.0.236

    ProductVersion : SE 106

    ProductName : Lavasoft Ad-Aware SE

    CompanyName : Lavasoft Sweden

    FileDescription : Ad-Aware SE Core application

    InternalName : Ad-Aware.exe

    LegalCopyright : Copyright © Lavasoft AB Sweden

    OriginalFilename : Ad-Aware.exe

    Comments : All Rights Reserved

     

    Memory scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 3

     

     

    Started registry scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    ABetterInternet.Nail Object Recognized!

    Type : RegData

    Data : explorer.exe, c:\windows\system32\frwdx.exe

    TAC Rating : 5

    Category : Malware

    Comment :

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\windows nt\currentversion\winlogon

    Value : Shell

    Data : explorer.exe, c:\windows\system32\frwdx.exe

     

    Windows Object Recognized!

    Type : RegData

    Data : explorer.exe, c:\windows\system32\frwdx.exe

    TAC Rating : 3

    Category : Vulnerability

    Comment :

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\windows nt\currentversion\winlogon

    Value : Shell

    Data : explorer.exe, c:\windows\system32\frwdx.exe

     

    Registry Scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 2

    Objects found so far: 5

     

     

    Started deep registry scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Deep registry scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 5

     

     

    Started Tracking Cookie scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

     

    Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : bill breault@hitbox[2].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:2

    Value : Cookie:bill breault@hitbox.com/

    Expires : 5/17/2007 12:43:42 PM

    LastSync : Hits:2

    UseCount : 0

    Hits : 2

     

    Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : bill breault@ehg-pcsecurityshield.hitbox[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:1

    Value : Cookie:bill breault@ehg-pcsecurityshield.hitbox.com/

    Expires : 5/17/2007 12:43:42 PM

    LastSync : Hits:1

    UseCount : 0

    Hits : 1

     

    Tracking cookie scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 2

    Objects found so far: 7

     

     

     

    Deep scanning and examining files (C:)

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : bill breault@ehg-pcsecurityshield.hitbox[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment :

    Value : C:\Documents and Settings\Bill Breault\Local Settings\Temp\Cookies\bill breault@ehg-pcsecurityshield.hitbox[1].txt

     

    Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : bill breault@hitbox[2].txt

    TAC Rating : 3

    Category : Data Miner

    Comment :

    Value : C:\Documents and Settings\Bill Breault\Local Settings\Temp\Cookies\bill breault@hitbox[2].txt

     

    Win32.Trojan.Downloader Object Recognized!

    Type : File

    Data : A0025899.exe

    TAC Rating : 10

    Category : Malware

    Comment :

    Object : C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\

     

     

     

    Disk Scan Result for C:\

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 0

    Objects found so far: 10

     

     

    Scanning Hosts file......

    Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Hosts file scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    1 entries scanned.

    New critical objects:0

    Objects found so far: 10

     

     

     

     

    Performing conditional scans...

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

     

    Win32.Trojan.Downloader Object Recognized!

    Type : File

    Data : guard.tmp

    TAC Rating : 10

    Category : Malware

    Comment :

    Object : C:\WINDOWS\system32\

     

     

     

    Conditional scan result:

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    New critical objects: 1

    Objects found so far: 11

     

    1:24:25 PM Scan Complete

     

    Summary Of This Scan

    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Total scanning time:00:11:54.547

    Objects scanned:153028

    Objects identified:8

    Objects ignored:0

    New critical objects:8

     

    Logfile of HijackThis v1.99.1

    Scan saved at 1:30:58 PM, on 5/17/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\WINDOWS\system32\mptft.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\WINDOWS\system32\ssec.exe

    C:\WINDOWS\system32\tfthot.exe

    C:\Program Files\Apoint\Apntex.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\WINDOWS\wmiapsrv.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\NOTEPAD.EXE

    C:\WINDOWS\explorer.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20063&k=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20063&k=

    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\en4ul1h91.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

    0
  • Customer

    **L2m-Destroyer Log**

     

     

    Look2Me-Destroyer V1.0.12

     

    Scanning for infected files.....

    Scan started at 5/17/2006 2:19:07 PM

     

    Infected! C:\WINDOWS\system32\m2640cjqefoe0.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024773.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024793.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024839.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024846.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025866.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025893.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025901.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025918.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025927.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025937.dll

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0026941.dll

    Infected! C:\WINDOWS\system32\dbound3d.dll

    Infected! C:\WINDOWS\system32\h2n00c5mef.dll

    Infected! C:\WINDOWS\system32\ivsetup.dll

    Infected! C:\WINDOWS\system32\m2640cjqefoe0.dll

    Infected! C:\WINDOWS\system32\tupelib.dll

     

    Attempting to delete infected files...

     

    Attempting to delete: C:\WINDOWS\system32\m2640cjqefoe0.dll

    C:\WINDOWS\system32\m2640cjqefoe0.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024773.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024773.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024793.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024793.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024839.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024839.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024846.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0024846.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025866.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025866.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025893.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025893.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025901.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025901.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025918.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025918.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025927.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025927.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025937.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0025937.dll Deleted successfully!

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0026941.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP81\A0026941.dll Deleted successfully!

     

    Attempting to delete: C:\WINDOWS\system32\dbound3d.dll

    C:\WINDOWS\system32\dbound3d.dll Deleted successfully!

     

    Attempting to delete: C:\WINDOWS\system32\h2n00c5mef.dll

    C:\WINDOWS\system32\h2n00c5mef.dll Deleted successfully!

     

    Attempting to delete: C:\WINDOWS\system32\ivsetup.dll

    C:\WINDOWS\system32\ivsetup.dll Deleted successfully!

     

    Attempting to delete: C:\WINDOWS\system32\m2640cjqefoe0.dll

    C:\WINDOWS\system32\m2640cjqefoe0.dll Deleted successfully!

     

    Attempting to delete: C:\WINDOWS\system32\tupelib.dll

    C:\WINDOWS\system32\tupelib.dll Deleted successfully!

     

    Making registry repairs.

     

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP

     

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D7B4788E-35BE-4ACB-BDF4-06C9CA3BC7E6}"

    HKCR\Clsid\{D7B4788E-35BE-4ACB-BDF4-06C9CA3BC7E6}

     

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{23D0C599-A085-461E-BBCF-499719414341}"

    HKCR\Clsid\{23D0C599-A085-461E-BBCF-499719414341}

     

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{17C363C1-0349-4428-8E3F-EA5BBF8A0C5B}"

    HKCR\Clsid\{17C363C1-0349-4428-8E3F-EA5BBF8A0C5B}

     

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5F5A4DC1-25E7-4C75-8B24-3C41349D0C2A}"

    HKCR\Clsid\{5F5A4DC1-25E7-4C75-8B24-3C41349D0C2A}

     

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{97AC5C5E-27BA-477D-B97E-25CAB3E65315}"

    HKCR\Clsid\{97AC5C5E-27BA-477D-B97E-25CAB3E65315}

     

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B220965F-16C2-4E56-B4E0-74E884703820}"

    HKCR\Clsid\{B220965F-16C2-4E56-B4E0-74E884703820}

     

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DD018A6C-115F-4CEC-BCF0-A03DC41A66DC}"

    HKCR\Clsid\{DD018A6C-115F-4CEC-BCF0-A03DC41A66DC}

     

    Restoring Windows certificates.

     

    Replaced hosts file with default windows hosts file

     

     

    Restoring SeDebugPrivilege for Administrators - Succeeded

     

     

    **hijack this**

     

    Logfile of HijackThis v1.99.1

    Scan saved at 2:25:55 PM, on 5/17/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\WINDOWS\wmiapsrv.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\WINDOWS\system32\mptft.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    C:\WINDOWS\system32\ssec.exe

    C:\WINDOWS\system32\tfthot.exe

    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

    C:\Program Files\Apoint\Apntex.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\WINDOWS\system32\NOTEPAD.EXE

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20063&k=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20063&k=

    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

    0
  • Support

    Getting there. It's looking a lot better. Down to just a couple of items that will need a special tool

     

    First, could you please go here:

    http://www.lavasoftsupport.com/index.php?showtopic=51

     

    Submit this file please:

    C:\WINDOWS\system32\mptft.exe

     

    And include this URL in the description:

    http://www.lavasoftsupport.com/index.php?showtopic=566

     

    Thanks!

    .................

    Next, Please download Look2Me-Destroyer.exe to your desktop.

    • Close all windows before continuing.

    • Double-click Look2Me-Destroyer.exe to run it.

    • Put a check next to Run this program as a task.

    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK

    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.

    • Once it's done scanning, click the Remove L2M button.

    • You will receive a Done Scanning message, click OK.

    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.

    • Your computer will then shutdown.

    • Turn your computer back on.

    • Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.

    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    0
  • Customer

    ok i posted it on there just as you said. the computer is already running A LOT better, so thank you.

    0
  • Support

    Good job! So much for Look2me.

     

    We're down to some mystery files and I need to find out what they are and if they belong on your system.

     

    Go here to upload the files as attachments

    http://www.thespykiller.co.uk/forum/index.php?board=1.0

    Just press new topic (Make the subject: For CalamityJane from BillBreault at LS),

    fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press Post to upload the files

     

    C:\WINDOWS\system32\mptft.exe

     

    C:\WINDOWS\system32\ssec.exe

     

    C:\WINDOWS\system32\tfthot.exe

     

    (Do not post HJT logs here as they will not get dealt with)

     

    You DO NOT need to be a member to upload, anybody can upload the files

     

    You will not see the files that have been uploaded as they only show to the authorised users who can download them. I will be able to collect from there and get them examined.

    0
  • Customer

    ok, this one is after i ran killbox. i may have misread, but i did not see what u wanted me to do with the mrfindalot entries.

     

    Logfile of HijackThis v1.99.1

    Scan saved at 4:04:31 PM, on 5/17/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\WINDOWS\wmiapsrv.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    C:\Program Files\Apoint\Apntex.exe

    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20063&k=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20063&k=

    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

    0
  • Support

    Thank you very much. I'll get them submitted around to all the vendors for detection.

     

    Found out another researcher yesterday got copies of these and it's a hijacker to Mrfindalot. Hopefully we'll be able to get rid of it easily.

     

    Please do a scan only with HijackThis and checkmark these entry in the list:

     

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20063&k=

     

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20063&k=

     

    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

     

     

    Please download the Killbox by Option^Explicit.

    http://www.geekstogo.com/modules.php?modid...n=download&id=4

     

    * Save it to your desktop.

     

    * Run Killbox.exe.

     

    * Select "Delete on Reboot".

     

    * Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

     

    C:\WINDOWS\system32\mptft.exe

    C:\WINDOWS\system32\ssec.exe

    C:\WINDOWS\system32\tfthot.exe

     

    * Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

     

    * Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

     

    After the reboot, please scan with HijackThis and post a fresh log please

    0
  • Customer

    Logfile of HijackThis v1.99.1

    Scan saved at 4:29:55 PM, on 5/17/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\WINDOWS\wmiapsrv.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\Program Files\Apoint\Apntex.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

    0
  • Support

    Yes, was in my instruction :angry: I'll list it again (Oh I see, I forgot to put to press the *fix checked* button after checkmarking the items):

     

    Please do a *scan only* with HijackThis and checkmark each these entries in the list, then press the *fix checked* button:

     

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20063&k=

     

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20063&k=

     

    O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

     

    Please reboot your computer.

     

    After reboot scan once more and post a fresh HijackThis log.

    0
  • Customer

    when i restarted the computer it seemed to have reset itself into my system, here is the hijack this entry. also, i found a folder marked "backup" in my administrator folder, should i delete that??

     

    Logfile of HijackThis v1.99.1

    Scan saved at 6:31:30 PM, on 5/17/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\csrss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\WINDOWS\wmiapsrv.exe

    C:\WINDOWS\ehome\mcrdsvc.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\WINDOWS\system32\wbem\wmiprvse.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\PROGRA~1\AIM\aim.exe

    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

    C:\Program Files\Apoint\Apntex.exe

    c:\defender20.exe

    C:\WINDOWS\system32\CROSOF~1\spool32.exe

    C:\Program Files\Network Monitor\netmon.exe

    C:\WINDOWS\QmlsbCBCcmVhdWx0\command.exe

    C:\WINDOWS\explorer.exe

    C:\WINDOWS\system32\oigyxe.exe

    C:\WINDOWS\system32\frwdx.exe

    C:\WINDOWS\system32\frwdx.exe

    C:\WINDOWS\system32\frwdx.exe

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    C:\Program Files\webHancer\Programs\whagent.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\WINDOWS\system32\rundll32.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\frwdx.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qnehijt.exe

    O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [defender] c:\\defender20.exe

    O4 - HKLM\..\Run: [keyboard] c:\\keyboard20.exe

    O4 - HKLM\..\Run: [newname] c:\\newname20.exe

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

    O4 - HKLM\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

    O4 - HKLM\..\Run: [oakqxc] C:\WINDOWS\system32\oigyxe.exe reg_run

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

    O4 - HKCU\..\Run: [surfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O4 - Global Startup: hprae.exe

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - AppInit_DLLs: repairs303169587.dll

    O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\rcaenh.dll

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmlsbCBCcmVhdWx0\command.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

    0
  • Support

    Hooray! You got it!! :angry:

     

    Some final things we need to do

     

    1. Run the Windows disk cleanup utility.

    Go to Start > Run and type in the box: cleanmgr

    Wait while Windows scans your system

    When finished it will present a list. Make sure these 3 are checkmarked and press *ok* to delete them:

     

    Temporary Files

     

    Temporary Internet Files

     

    Recycle bin

     

    (you should do this for each user on the PC)

     

    2. Remove your OLD vulnerable versions of Sun Java.

    Important Note: Possible Vulnerability in Sun Java versions may be responsible for Vundo/Winfixer infections

    Check your installed Sun Java versions

    We have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed

    Please see this topic:

    http://www.dslreports.com/forum/remark,14738046

     

    Important Note: Autoupdate of Sun Java does not uninstall previous (vulnerable) versions of the program.

    Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java.

     

    To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:

    http://www.java.com/en/download/windows_automatic.jsp

     

    You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software

     

    Or you can get the manual download here:

    http://www.java.com/en/download/manual.jsp

     

    3. Regularly clear out your Sun Java cache:

    Virus found in the Javaâ„¢ Runtime Environment, Standard Edition (JRE) cache directory

    http://java.com/en/download/help/cache_virus.jsp

     

    Here are the instructions on how to manually remove these malicious applets from the JRE cache directory:

     

    1. From the Start button, click Settings > Control Panel

    2. In the Control Panel, open the "Java Plug-in Control Panel"

    3. Select the Cache Tab

    4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory

    .................

    For Later versions of java

     

    In the Control Panel, select the Java icon (looks like a coffee cup).

     

    Under the General tab at the bottom your will see a section: "Temporary Internet files"

     

    choose *delete files* and then *ok*.

    ...............................................

     

    4. Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

     

    One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

     

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

     

    (winXP)

     

    1. Turn off System Restore.

    Go to Start > Run, click on *My Computer*.

    Click Properties.

    Click the System Restore tab.

    Check Turn off System Restore.

    Click Apply, and then click OK.

     

    2. Reboot.

     

    3. Turn ON System Restore.

    Go to Start > Run, click on *My Computer*.

    Click Properties.

    Click the System Restore tab.

    UN-Check *Turn off System Restore*.

    Click Apply, and then click OK.

     

    How to Turn On and Turn Off System Restore in Windows XP

    http://support.microsoft.com/default.aspx?...kb;en-us;310405

     

    Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .

    How do I prevent Browser Hijacks and Spyware?

    http://www.dslreports.com/faq/13620

     

    I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE

    Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

    Windows Update

    http://update.microsoft.com/microsoftupdate/

     

    And see this link for instructions on how to configure the enhanced security features in SP2:

    http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

     

    I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

     

    MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:

    Microsoft Baseline Security Analyzer

    http://www.microsoft.com/technet/security/...s/mbsahome.mspx

    Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

    0
  • Support

    :angry: It looks like you might have gotten into system restore and reset your computer with a prior restore point instead of simply turning it (system restore) off and then back on again.

     

    Go to Start

    All Programs

    Accessories

    System tools

    System restore.

     

    Do you see an option to "UNDO RESTORE"? If so please choose that option. and undo the restore.

     

    If that is not an option, what options do you see and is there a calendar with dates?

    0
  • Support

    I believe that is the backup folder for HijackThis. I'm not worried about that.

     

    I am concerned on how you got all of this infection back again. Is there anything you did inbetween the steps I posted? Did you visit a website or download a file or were you taken to a website you didn't recognize. Anything?

     

    Those are all different infections and adware that all don't just regenerate at once. :angry:

    0
  • Customer

    The only options i get when i go into the system restore are to restore computer to previous date and to go into the settings, and nothing is in the settings about undoing. i am thinking i am going to have to try the whole process again. like i said,however. i am concerned about that folder marked "backup" that appeared on teh desktop when i am in safe mode. when i go into the restoration there is a calendar with dates, and the only bolded date is today's. I did as you said as far as the system restore, and it seemed to have been working, but i am assuming that there was a file somewhere in the AIM folder that reset itself, despite the fact that i had re-installed it.

    0
  • Support

    Oh boy! Must be something wrong with that AIM then. I would get rid of that and any folders or files left behind by it.

     

    We will need to start all over

    0
  • Customer

    I had installed an older version of AIM and there were pop ups that could no be controlled and the AIM installer was already on the computer. That is all the happened after I had finished off the steps.

    0
  • Customer

    well it was one of those AIM viruses that started this whole thing. but i got rid of all of those and have retraced my steps up to killbox. i just wanted to put up a logfile from hijack this to get your input. also i noticed a bunch of files in my C: drive. "bootdl" "loaderboot"(they are MS-DOS files), "Installer" "NNSCAA638" and "trelew"(all .exe files). also there is a batch file called mfix. should i delete those manually or is there a special way to get rid of them?? anyway here is teh hijack log

     

    Logfile of HijackThis v1.99.1

    Scan saved at 9:26:42 PM, on 5/17/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\WINDOWS\wmiapsrv.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Apoint\Apntex.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

    C:\WINDOWS\explorer.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\frwdx.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qnehijt.exe

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\lyimg11n.dll

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

    0
  • Customer

    Logfile of HijackThis v1.99.1

    Scan saved at 10:16:31 PM, on 5/17/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\WINDOWS\wmiapsrv.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\Program Files\Apoint\Apntex.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

    c:\defender20.exe

    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    C:\Program Files\webHancer\Programs\whagent.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\WINDOWS\system32\NOTEPAD.EXE

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\frwdx.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qnehijt.exe

    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [defender] c:\\defender20.exe

    O4 - HKLM\..\Run: [keyboard] c:\\keyboard20.exe

    O4 - HKLM\..\Run: [newname] c:\\newname20.exe

    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe

    O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O10 - Hijacked Internet access by WebHancer

    O10 - Hijacked Internet access by WebHancer

    O10 - Hijacked Internet access by WebHancer

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\lyimg11n.dll (file missing)

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

     

     

     

    Look2Me-Destroyer V1.0.12

     

    Scanning for infected files.....

    Scan started at 5/17/2006 10:03:09 PM

     

    Infected! C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0003038.dll

    Infected! C:\WINDOWS\system32\lyimg11n.dll

     

    Attempting to delete infected files...

     

    Attempting to delete: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0003038.dll

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0003038.dll Deleted successfully!

     

    Attempting to delete: C:\WINDOWS\system32\lyimg11n.dll

    C:\WINDOWS\system32\lyimg11n.dll Deleted successfully!

     

    Making registry repairs.

     

     

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C65FC0FD-870E-4FD3-B5FF-42A5ECC3C66E}"

    HKCR\Clsid\{C65FC0FD-870E-4FD3-B5FF-42A5ECC3C66E}

     

    Restoring Windows certificates.

     

    Replaced hosts file with default windows hosts file

     

     

    Restoring SeDebugPrivilege for Administrators - Succeeded

     

     

    there are both logs u needed. it is ok if you dont worry about it til morning, i am more concerned about getting all of this malware off than a time frame. before coming to the LS forums i did a walkthrough on how to get rid of the AIM viruses, and it told me to manually delete the suspicious files that i found in the C: drive, and i am wondering if those are what brought the problem back.

    0
  • Support

    Hold up. Don't do killbox on the old instruction. We have different files to deal with from this point forward.

     

    And I need to see logs inbetween.

     

    Please download Look2Me-Destroyer.exe to your desktop.

    • Close all windows before continuing.

    • Double-click Look2Me-Destroyer.exe to run it.

    • Put a check next to Run this program as a task.

    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK

    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.

    • Once it's done scanning, click the Remove L2M button.

    • You will receive a Done Scanning message, click OK.

    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.

    • Your computer will then shutdown.

    • Turn your computer back on.

    • Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.

    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

     

     

    Also, did you run a full system scan of Adaware?

     

    I'm getting pretty low on steam for tonight. Not sure how much longer I'll be online - but I'll pick it up in the morning, if I disappear (due to exhaustion). I'm a volunteer - I don't work for Lavasoft or get paid for this, so I have to call it a night sometime

    0
  • Support

    i did a walkthrough on how to get rid of the AIM viruses, and it told me to manually delete the suspicious files that i found in the C: drive, and i am wondering if those are what brought the problem back.
    What instruction were you following? Without any knowledge of what you were told to "walk through" I have no idea.

     

    This AIM virus is a downloader trojan and it downloads adware/spyware bundles of unwanted programs onto your computer.

     

    Go to your Control Panel and Find the following in the list of Add/Remove Programs

     

    Webhancer

     

    Highlight it and choose *Remove* or uninstall.

    .........................................................

    Next, you should already have the BFU and scriptfile on your computer from the last time.

     

    Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

     

    In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu

    Press execute and let it do it’s job.

     

    Wait for the complete script execution box to pop up and press OK.

     

    click "save"

     

    IN "filename" enter log.txt

     

    click exit to exit the BFU program.

     

    Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder

    0
  • Customer

    well the "walk through" was from AOL. this is the page that i was using http://www.aim.com/help_faq/security/trojan.adp

     

    BFU v1.00.9

    Windows XP SP2 (WinNT 5.01.2600 SP2)

    Script started at 3:20:05 PM, on 5/18/2006

     

    Option Unload Explorer: Yes

    Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)

    Failed: ServiceStop Network Monitor (service not found)

    Failed: ServiceStop cmdService (service not found)

    Failed: ServiceDisable Network Monitor (service not found)

    Failed: ServiceDisable cmdService (service not found)

    Failed: ServiceDelete Network Monitor (service not found)

    Failed: ServiceDelete cmdService (service not found)

    Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)

    Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)

    Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)

    Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)

    Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|SystemTools (key not found)

    Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|eventwvr (key not found)

    Option pause between commands: 300 ms

    Option pause between commands: 50 ms

    Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)

    Failed: FolderDelete C:\Program Files\winupdates (folder not found)

    Failed: FolderDelete C:\Program Files\winupdate (folder not found)

    Failed: FolderDelete C:\Program Files\winsupdater (folder not found)

    Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)

    Failed: FolderDelete C:\Program Files\MsMovies (folder not found)

    Failed: FolderDelete C:\Program Files\wmplayer (folder not found)

    Failed: FolderDelete C:\Program Files\outlook (folder not found)

    Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

    Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)

    Failed: FileDelete C:\DOCUME~1\BILLBR~1\LOCALS~1\Temp\~DFB5DB.tmp (operation failed)

    Failed: FolderDelete C:\Documents and Settings\Bill Breault\Local Settings\Temporary Internet Files\Content.IE5\37TPTTDQ (operation failed)

    Failed: FolderDelete C:\Documents and Settings\Bill Breault\Local Settings\Temporary Internet Files\Content.IE5\6POJ2LMX (operation failed)

    Failed: FolderDelete C:\Documents and Settings\Bill Breault\Local Settings\Temporary Internet Files\Content.IE5\UQ61HDS2 (operation failed)

    Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)

    Failed: FolderDelete C:\Program Files\DNS (folder not found)

    Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)

    Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)

    Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)

    Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)

    Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)

    Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)

    Failed: FolderDelete C:\Program Files\Update06 (folder not found)

    Failed: FolderDelete C:\Program Files\Update03 (folder not found)

    Failed: FolderDelete C:\Program Files\Update04 (folder not found)

    Failed: FolderDelete C:\Program Files\Update08 (folder not found)

    Failed: FolderDelete C:\Program Files\W-Update (folder not found)

    Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)

    Failed: FolderDelete C:\Program Files\Cas (folder not found)

    Failed: FolderDelete C:\Program Files\CasStub (folder not found)

    Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)

    Failed: FolderDelete C:\Program Files\ipwins (folder not found)

    Failed: FolderDelete C:\temp (folder not found)

    Failed: FolderCreate C:\bintheredunthat (folder already exists)

    Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)

    Script completed.

    0
  • Support

    Great, and if you could post a fresh HijackThis log please.

    0
  • Customer

    Logfile of HijackThis v1.99.1

    Scan saved at 4:01:57 PM, on 5/18/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Symantec AntiVirus\DefWatch.exe

    C:\WINDOWS\eHome\ehRecvr.exe

    C:\WINDOWS\eHome\ehSched.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    C:\WINDOWS\wmiapsrv.exe

    C:\WINDOWS\system32\dllhost.exe

    C:\Program Files\Apoint\Apoint.exe

    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\PROGRA~1\SYMANT~1\VPTray.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

    C:\Program Files\Apoint\Apntex.exe

    C:\Program Files\Dell\QuickSet\quickset.exe

    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\MSN Messenger\MsnMsgr.Exe

    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\WINDOWS\explorer.exe

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R3 - Default URLSearchHook is missing

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    O4 - HKLM\..\Run: [oakqxc] C:\WINDOWS\system32\oigyxe.exe reg_run

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O4 - HKCU\..\Run: [kwrsy] C:\WINDOWS\system32\oigyxe.exe reg_run

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\lyimg11n.dll (file missing)

    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

     

     

    the computer is running significantly better again. its a lot more smooth. but those programs are still sitting in C:, arent installed or anything, theyre just concerning me

    0

Vous devez vous connecter pour laisser un commentaire.