Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Thursday 28.11.2024 / 19:52
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > please help with virus or spyware
Show topics
 
Forums
Forums
Please help with Virus or spyware
  Jump to:
 
Posted Message
chrisNo1
Newbie
_ 		9. July 2006 @ 23:36 _ Link to this message    Send private message to this user   
i have been constantly getting popups ever since i downloaded a dodgy crack. first it tryed Spybot search and distroy, that found a few adwares but it didnt work so now i have webroot spy sweeper and it has stoped the popups but i dont think it has fixed my problem because it brings up a message saying(The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com)every 30 seconds and after a day or so my computer frezes up and if i close spysweeper i get my popups again.

Please help me.
here is my Logfile of HijackThis. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 5:35:33 PM, on 10/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloads\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mininova.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX430 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE /P31 "EPSON Stylus Photo RX430 Series" /O6 "USB001" /M "Stylus Photo RX430"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_3.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmb_3.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au
O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\jtls0737e.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\mtexcl40.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgJiBLaXJieQ\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
[ + quote]
Advertisement
_ 		__
tapiiri
Senior Member
_ 		10. July 2006 @ 12:11 _ Link to this message    Send private message to this user   
Hi chrisNo1,

Cleaning instructions:

Move HijackThis into its own folder C:\HJT

Download and install Ewido Anti-Spyware 4.0 -> http://www.ewido.net/en/download/

-> Open Ewido Anti-Spyware
-> Click the Update icon at the top of the window
-> Click the Start update button
-> Wait for the update to download and install
-> Quit the program, we'll use this later.

Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.

Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip

-> Right-click the BFU folder on your desktop, and choose Extract All
-> Click Next
-> In the box to choose where to extract the files to,
-> Click Browse
-> Click on the + sign next to My Computer
-> Click on Local Disk ( C: ) or whatever your primary drive is
-> Click Make New Folder
-> Type in BFU
-> Click Next, and Uncheck the Show Extracted Files box and then click Finish.

Download this removal script, rightclick, "save target as"-> http://metallica.geekstogo.com/alcanshorty.bfu
And save it to the same folder than where BFU was installed earlier (c:\BFU).

Do NOT use this yet!

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_3.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmb_3.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\jtls0737e.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\mtexcl40.dll (file missing)

Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Press Start -> My Computer -> Go to folder C:\BFU

-> Run BFU by doubleclicking BFU.exe
-> Type or copy/paste this to the "Scriptline to execute" -field: C:\BFU\alcanshorty.bfu
-> Click Execute and let it do its work (You should see a progressbar if you did this right)
-> Wait for the "Complete script execution" box and click OK.
-> Click Exit in order to quit BFU.

Run ATF Cleaner -> Check select all -> Press Empty selected

-> Open Ewido Anti-Spyware
-> Click the Scanner icon at the top of the window
-> Click the Settings tab then select Recommended Options and choose Quarantine
-> Click the Scan tab
-> Select Complete System Scan. The scanning begins.

-> When the scan has completed:
-> If infections were found you'll be prompted about what to do.
-> Please make sure that the Set all elements to is set to Quarantine (in downleft corner of the window)
-> Then press Apply all actions and answer yes to all if it asks about something
-> Click on the Save Scan Report button and save the scan to your Desktop.
-> Copy and paste the scan results into your next post

Restart your computer normally.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
[ + quote]
Jaa- ei tuollaasia spämmäreitä ookkaa -> tapiiri

http://www.virustorjunta.net/index.php
chrisNo1
Newbie
_ 		10. July 2006 @ 23:18 _ Link to this message    Send private message to this user   
ok completed all tasks


Logfile of HijackThis v1.99.1
Scan saved at 5:15:32 PM, on 11/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mininova.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX430 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE /P31 "EPSON Stylus Photo RX430 Series" /O6 "USB001" /M "Stylus Photo RX430"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au
O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\p08qlal51dq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgJiBLaXJieQ\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:08:20 PM 11/07/2006

+ Scan result:



C:\WINDOWS\Q2hyaXMgJiBLaXJieQ\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\T33PJ5RO\Installer[1].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fp6003jme.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hrn6055se.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\k844lihq184e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lv4409hqe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[1044] C:\WINDOWS\system32\skftpub.dll -> Adware.Look2Me : Error during cleaning.
[888] C:\WINDOWS\system32\skftpub.dll -> Adware.Look2Me : Error during cleaning.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\KH0T6L2V\kybrdb_3[1].exe -> Backdoor.VB.ary : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\0Z0HEFWN\drsmartload46a[1].exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\92B5PI4M\drsmartload45a[1].exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\CXWHY34D\drsmartload849a[1].exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\NE03ZT0H\nwnmb_3[1].exe -> Downloader.Adload.cm : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\MROBVODG\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\4FM7O5YZ\dfndrb_3[1].exe -> Downloader.VB.afv : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\KH0T6L2V\drsmartload[1].exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\UB49GV9V\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned with backup (quarantined).
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\NE03ZT0H\!update-4020[1].0000 -> Trojan.PurityAd : Cleaned with backup (quarantined).


::Report end
Thank you
[ + quote]
tapiiri
Senior Member
_ 		11. July 2006 @ 05:46 _ Link to this message    Send private message to this user   
Hi chrisNo1

Download Look2Me-Destroyer -> http://www.atribune.org/ccount/click.php?id=7 and save it on desktop

IMPORTANT: Before continuing, you MUST do the following:

->Print this or save as a textfile
->Click start -> run -> services.msc -> ok
->Check that this service is running or its startuptype is automatic
Secondary logon
->Disconnect from internet (unplug your network cable)
->Close ALL antivirus programs (this is essential!)
->Close all windows before continuing.
->Double-click Look2Me-Destroyer.exe to run it.
->Put a check next to Run this program as a task.
->You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
->When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
->Once it's done scanning, click the Remove L2M button.
->You will receive a Done Scanning message, click OK.
->When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
->Your computer will then shutdown.
->Turn your computer back on.
->Please post the contents of C:\Look2Me-Destroyer.txt

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

So post the contents of C:\Look2Me-Destroyer.txt and a new HijackThis log to here.

Then we'll continue the cleaning, you're not clean yet!
[ + quote]
Jaa- ei tuollaasia spämmäreitä ookkaa -> tapiiri

http://www.virustorjunta.net/index.php
chrisNo1
Newbie
_ 		11. July 2006 @ 23:17 _ Link to this message    Send private message to this user   
Thanks. How did we go? am i clean yet?



Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 12/07/2006 5:07:03 PM

Infected! C:\WINDOWS\system32\pkdrv.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP322\A0051560.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051642.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051646.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051660.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051664.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP325\A0052665.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052682.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052686.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052711.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053710.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053726.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053727.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053739.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053740.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053741.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053742.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053745.dll
Infected! C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053749.dll
Infected! C:\WINDOWS\system32\ktn6l75s1.dll
Infected! C:\WINDOWS\system32\p08qlal51dq.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\pkdrv.dll
C:\WINDOWS\system32\pkdrv.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP322\A0051560.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP322\A0051560.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051642.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051642.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051646.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051646.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051660.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051660.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051664.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP323\A0051664.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP325\A0052665.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP325\A0052665.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052682.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052682.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052686.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052686.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052711.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0052711.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053710.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053710.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053726.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053726.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053727.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053727.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053739.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053739.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053740.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053740.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053741.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053741.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053742.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053742.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053745.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053745.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053749.dll
C:\System Volume Information\_restore{1C335876-FFB4-490E-8F36-BF671101113E}\RP326\A0053749.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\ktn6l75s1.dll
C:\WINDOWS\system32\ktn6l75s1.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\p08qlal51dq.dll
C:\WINDOWS\system32\p08qlal51dq.dll could not be deleted!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{80690C7F-950D-40AC-B07E-3D3A1097FF6D}"
HKCR\Clsid\{80690C7F-950D-40AC-B07E-3D3A1097FF6D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D93646EF-F5DD-4FF8-B834-A8236C6D5E4E}"
HKCR\Clsid\{D93646EF-F5DD-4FF8-B834-A8236C6D5E4E}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 5:16:56 PM, on 12/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mininova.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX430 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE /P31 "EPSON Stylus Photo RX430 Series" /O6 "USB001" /M "Stylus Photo RX430"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{07654E6B-B9E4-4662-BC7A-94AB56A7C645}: Domain = vic.bigpond.net.au
O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXMgJiBLaXJieQ\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
[ + quote]
tapiiri
Senior Member
_ 		12. July 2006 @ 07:09 _ Link to this message    Send private message to this user   
No you are not, It wont go away this tool.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

then when the log has been posted please report to a moderator and we will examine to ensure it is suitable to use the remainder of the fix

[ + quote]
Jaa- ei tuollaasia spämmäreitä ookkaa -> tapiiri

http://www.virustorjunta.net/index.php
chrisNo1
Newbie
_ 		13. July 2006 @ 00:54 _ Link to this message    Send private message to this user   
Thanks so much for doing all this, i realy appreciate it.


L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:0000001f
"InstallNotifyShown"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,57,13,53,ad,d1,f7,23,42,a8,4d,b6,2c,ae,d5,94,26,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,72,8d,da,83,34,9e,a4,79,\
f0,03,90,36,8a,4c,a9,2b,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,46,\
17,f9,05,67,8f,da,c0,8b,4d,9c,ee,3a,cd,13,ff,f8,04,00,00,da,55,4e,32,90,2a,\
54,c2,b7,48,4e,ca,f1,d8,b3,5d,b7,b0,30,92,b0,05,75,1e,9e,4b,37,13,29,2a,3b,\
36,aa,31,d6,57,72,90,a0,79,23,78,a8,3b,82,e4,2f,70,91,5a,fe,1c,f6,8f,97,5d,\
10,a4,c1,5b,16,15,ad,f9,27,7b,d7,36,c9,f6,18,2b,33,a2,9f,76,0f,3e,24,49,44,\
0a,c0,db,0e,6c,19,56,59,bf,07,c5,fb,1c,ec,fd,20,c4,0b,7a,48,36,af,8d,ba,b4,\
2f,e2,27,84,33,ab,73,a4,06,c8,79,c1,91,67,4b,df,79,12,26,ac,d4,01,8d,e5,8f,\
ef,de,3c,77,14,d2,9f,13,6c,94,e7,3b,42,30,71,3a,e2,24,20,5b,d4,bc,7d,9e,f8,\
26,20,07,69,0e,41,97,df,10,44,89,42,d9,12,f0,79,a3,a5,bb,c9,48,b8,de,2b,71,\
c8,29,0b,79,cb,a2,25,24,ac,59,41,1c,1b,28,3b,66,89,41,43,5f,ee,e0,47,7f,ae,\
50,14,7f,9e,86,71,20,57,6a,f7,5e,da,e6,7d,60,87,a1,04,84,b3,0b,49,67,0e,f5,\
4c,e6,b0,67,35,6b,e7,67,80,cb,13,74,92,f6,81,5b,f0,72,14,6f,7d,99,8e,74,ba,\
53,a0,d5,ba,48,ec,65,75,d6,01,41,27,ae,68,d0,2f,9d,af,f9,e0,03,02,4e,ce,ef,\
37,84,23,95,0f,bd,d5,7c,c3,12,19,0a,61,68,7d,d2,4e,16,f6,c9,cd,7f,b4,1b,6f,\
9d,c1,31,10,5d,42,dc,51,1b,4c,5c,3f,a5,7a,cf,99,94,8e,a4,59,be,02,72,4d,1d,\
43,d9,ce,e6,3a,27,b8,57,16,d5,5a,83,bc,48,f8,9d,ff,3a,3a,a4,22,2f,57,0c,2e,\
8c,3d,b7,74,1d,21,16,35,6a,d0,97,87,bb,54,51,e3,31,a0,00,55,19,a2,41,5e,c4,\
23,e6,d4,82,a8,37,e5,db,a3,b5,c8,50,33,9e,71,2d,f1,92,bf,cd,bd,b4,ab,a2,17,\
b9,31,76,e8,cf,77,ce,9c,4f,c3,31,fa,71,cf,d7,56,6f,dd,7c,ab,c5,5c,21,e9,17,\
f7,3f,6c,ea,51,3f,d6,03,a1,b8,49,93,d4,2f,55,56,5f,f8,bd,e2,34,b8,0d,cd,89,\
99,72,40,59,5e,e3,b2,3c,91,1d,86,dc,54,d2,d4,76,c5,73,f4,c5,c4,d4,87,ce,97,\
77,4a,05,9f,88,c6,aa,57,ee,3a,a8,fc,2b,39,81,62,1d,13,91,1d,b5,3b,7a,d4,61,\
53,19,e9,71,03,2d,4e,61,7e,02,0d,16,1e,3d,83,27,e3,41,f5,75,ab,83,e4,7d,68,\
fe,f0,ff,01,b9,8a,18,fd,4b,f3,af,f8,1f,d4,9d,0f,00,83,14,e9,ff,81,d4,da,f7,\
03,41,4a,c9,57,92,99,db,15,b6,48,79,81,16,88,2c,95,98,1b,4e,6d,7b,83,32,75,\
eb,44,75,98,bf,40,80,1b,28,fb,57,59,60,3e,41,8b,16,2a,f4,47,f4,d6,32,69,c0,\
ab,71,12,db,48,fc,90,1b,5e,35,4c,ca,a2,d5,0d,0d,66,84,b6,b7,9c,58,32,62,0b,\
ca,f4,a8,00,91,a0,94,66,8f,13,53,7f,cb,47,e3,1f,77,03,2e,0c,a2,80,f7,37,8f,\
aa,51,bf,da,60,3d,bc,f1,95,f4,c3,7f,de,37,69,25,54,4c,f9,50,eb,6d,89,67,80,\
e9,8c,ba,30,44,4b,f8,fd,ad,df,9a,f4,17,6f,89,0d,de,6c,6b,25,23,15,c8,14,87,\
04,73,64,e9,5c,c2,ba,84,ce,84,3a,5b,4c,dd,37,77,2b,05,ae,e4,c7,f1,8b,3a,13,\
02,03,f3,57,ef,2d,14,9e,f9,6f,36,83,e9,55,79,97,20,3e,50,56,db,e9,b4,a7,c4,\
d7,20,cf,d6,7b,55,72,51,93,35,48,79,9d,20,06,93,e0,dc,a3,c4,b2,0c,27,4a,fc,\
6b,e3,e3,9b,15,76,36,2f,52,0f,a7,aa,0d,a0,4c,06,85,ca,0a,f2,18,94,21,54,3c,\
99,ec,d4,11,84,4b,8a,97,45,f7,1d,3e,f3,1f,34,99,99,fc,12,9b,8c,a2,39,99,20,\
f9,db,1d,57,3f,ba,c0,f9,95,e1,9b,76,22,09,a1,ea,38,40,e4,29,2b,21,1a,5f,aa,\
71,12,9b,ab,bc,9f,97,c8,78,fa,3b,46,f5,de,b2,71,39,6d,d6,1e,42,8d,86,f5,f8,\
5a,f5,d2,da,9d,dd,83,18,80,57,d4,68,02,ca,32,4a,40,4e,1d,da,08,ba,0b,dd,cb,\
3b,8f,d3,5d,a5,6b,b7,23,14,b7,22,28,66,d7,60,29,d1,cb,15,f5,f7,aa,5a,c0,3d,\
4a,c4,a9,8b,74,41,c9,46,88,da,8a,d8,33,cc,2b,a6,98,14,f7,12,b5,0f,a1,13,cc,\
ed,1e,8c,07,8e,4f,81,e5,73,9c,ae,24,83,a2,d2,f4,80,ab,58,d8,12,65,be,2d,1a,\
fe,62,84,c1,01,1a,9e,09,3c,9c,40,b9,13,2f,54,d7,90,23,dc,74,19,e8,81,ef,05,\
10,b8,58,5b,05,ef,e7,a6,f5,bd,54,78,8b,e5,0e,9f,3b,eb,f7,d2,4e,eb,59,37,f3,\
f5,78,92,59,a2,d5,a8,37,3f,84,fc,ea,21,8d,f1,99,df,73,07,21,69,59,fc,fb,62,\
0b,7c,21,06,9e,09,a2,1f,1f,8c,d3,ad,f6,0b,cd,c1,55,b1,a5,b3,4a,5a,fa,f0,8a,\
40,12,57,1f,a0,5c,51,41,42,03,db,7d,6d,b2,69,6e,50,67,b2,67,60,97,f8,8e,17,\
5d,42,9f,70,d7,27,c8,57,ee,4f,30,2b,8a,56,d7,f1,2c,c0,3e,23,82,bb,01,88,16,\
28,0e,a8,c2,34,d2,a5,92,94,fe,b5,25,18,75,05,90,09,de,b4,f8,d7,89,33,65,74,\
33,d6,3a,14,7f,23,2c,4a,94,55,c0,be,9d,fe,a2,cf,f9,b0,4f,d1,c6,c6,61,d1,f8,\
4d,a6,64,9d,6e,8c,b9,b3,65,30,0a,7b,05,78,cc,5e,4b,9e,1b,4c,de,c6,25,df,c0,\
ed,24,df,12,c8,78,cc,99,1a,06,bb,58,0d,d7,f8,18,8f,73,02,b1,98,c7,4f,96,16,\
16,00,e1,f3,3f,bf,10,b4,39,c8,9b,10,ea,60,25,c5,2c,13,48,ae,d8,06,10,70,ad,\
4c,09,aa,48,5f,a0,6a,8b,42,3b,8d,88,ed,4e,27,d0,14,00,00,00,1f,87,09,78,0c,\
34,f9,d4,b4,26,56,b0,7d,11,57,95,fe,9b,dc,51

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sv1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}"="IZArc DragDrop Menu"
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"="IZArc Shell Context Menu"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"="PowerISO"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}"="AutoCAD Digital Signatures Icon Overlay Handler"
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}"="Autodesk Drawing Preview"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Mon 3 Jul 2006 17:46:42 A.... 687,592 671.48 K
bassmod.dll Sun 11 Jun 2006 18:05:44 A.... 14,848 14.50 K
hp0023~1.dll Wed 12 Jul 2006 10:00:56 ..S.R 236,487 230.94 K
pkdrv.dll Tue 11 Jul 2006 17:10:56 ..... 236,487 230.94 K
ravpperf.dll Wed 12 Jul 2006 17:05:06 ..S.R 236,487 230.94 K

5 items found: 5 files (2 H/S), 0 directories.
Total of file sizes: 1,411,901 bytes 1.34 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 1859-0C70

Directory of C:\WINDOWS\System32

13/07/2006 06:52 PM <DIR> ..
13/07/2006 06:52 PM <DIR> .
13/07/2006 09:33 AM <DIR> dllcache
12/07/2006 05:05 PM 236,487 ravpperf.dll
12/07/2006 10:00 AM 236,487 hp0023dmg.dll
19/03/2006 08:45 AM 32 {7D7B0656-012A-4FFD-88CF-703A6BE4E46C}.dat
12/03/2006 04:33 PM 1,004 KGyGaAvL.sys
09/01/2006 11:58 PM 56 33DAC8FEE2.sys
13/07/2005 04:03 PM <DIR> Microsoft
5 File(s) 474,066 bytes
4 Dir(s) 2,950,344,704 bytes free
[ + quote]
Advertisement
_ 		__
 
_
tapiiri
Senior Member
_ 		14. July 2006 @ 06:58 _ Link to this message    Send private message to this user   
Hi chrisNo1

Run l2mfix.bat and run option #2

Allow it to do everything what it asks.

Boot comp.

Send a fresh hijack log and copy l2mefixes log to here.

[ + quote]
Jaa- ei tuollaasia spämmäreitä ookkaa -> tapiiri

http://www.virustorjunta.net/index.php

This message has been edited since posting. Last time this message was edited on 15. July 2006 @ 14:22
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > please help with virus or spyware
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2024 by AfterDawn Ltd.

  IDG TechNetwork